Moving the agent's socket to /var/run ?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Jun 17 22:49:50 CEST 2016
One more wrinkle that i'm finding related to this setup -- what to do
about overlong socket paths?
This is a problem inherent in using the --standard-socket when GNUPGHOME
is large on systems that have an upper-bound on socket names. But /run
might offer a fix. I'm wondering whether it would make sense to use
/run automatically on systems where /run/$UID/ is available and the
standard-socket is prohibited by length (not just by filesystem type).
On many systems, the name of unix-domain sockets has a formal limit,
which is 108 bytes on linux:
------
/* unix-domain-socket-length.c */
#include <stdio.h>
#include <sys/socket.h>
#include <sys/un.h>
int main()
{
struct sockaddr_un unix_addr;
return printf ("maximum length of unix-domain socket: %zu bytes\n",
sizeof(unix_addr.sun_path));
}
------
0 dkg at alice:~/src/test$ gcc -o unix-domain-socket-length unix-domain-socket-length.c --pedantic -Wall
0 dkg at alice:~/src/test$ ./unix-domain-socket-length
maximum length of unix-domain socket: 108 bytes
48 dkg at alice:~/src/test$
This means that it's not possible to open the standard socket in
directories that are too long.
fwiw, this isn't idle speculation. I work on monkeysphere in
/home/dkg/src/monkeysphere/monkeysphere, which is 39 characters in
length. the standard test suite operates in a tmpdir templated from the
cwd as tmp/monkeyspheretest.XXXXXX (another 32 characters), and in the
test suite tmpdir, there is a GNUPGHOME dir named authentication/sphere
(another 21 characters). that's 92 characters already, and the 13 more
of S.gnupg-agent itself alongside the trailing NUL and a few /
characters pushes it over the limit.
I'm avoiding this in monkeysphere right now by shortening the length of
the tmpdir path and making sure i don't personally build it any deeper
in the fs hierarchy than i have to.
But it seems like it would be nice to get this to happen automatically,
no?
If it's possible to detect that a given path is too long for the
underlying operating system to create a socket, why not automatically
cut over to the shorter path in /run ? gpg-agent could auto-create the
directory upon launch if it finds it can't auto-create the typical
standard socket. it could auto-remove the directory when it terminates
cleanly as well.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20160617/07e806ee/attachment.sig>
More information about the Gnupg-devel
mailing list