Fw: GnuPG - Encryption process issues.
Carlos Alberto Moreno Torres
cmorenot at mx1.ibm.com
Tue May 31 17:57:14 CEST 2016
Dear Daniel Kahn Gillmor,
Please find the information/evidence requested below provided by our Unix
Team Specialist, it is very important for us your input since it will help
to find the specific Root Cause. If you require additional details, please
do not hesitate to ask.
Thanks in advance.
@ Thanks Ankit for your detailed response.
Carlos A. Moreno Torres
Problem Management | CEMEX
Global Technology Services | IBM Corporation
Office: (+52-81) 8328-5251 IBM
E-mail: cmorenot at mx1.ibm.com Av. Constitución No. 444 Pte.
IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b Monterrey, NL 64000
México
From: Ankit Bhardwaj5/India/IBM
To: Carlos Alberto Moreno Torres/Mexico/Contr/IBM at IBMMX
Cc: Ajay B Challa/India/IBM at IBMIN, Ivan Fernando Montes de Oca
Tavera/Mexico/Contr/IBM at IBMMX, "Juan Carlos Garcia"
<juancarlos.garcia at ext.cemex.com>, Samuel Ramos
Javier/Mexico/IBM at IBMMX, "Samuel Mizrain Ramos Javier"
<samuelmizrain.ramos at ext.cemex.com>, Srinivas
Masetty/India/IBM at IBMIN
Date: 05/31/2016 10:46 AM
Subject: Re: Fw: GnuPG - Encryption process issues.
Hello Carlos
Please share below information with GPG team i think by seeing the results
of test performed by us on system they will able to give us the solution
We have tested below things in envirnoment
-> Userd Details used in this test
root
ehpadm
Permissions under user "root"
-> Directory Permission of root
drwx------ 2 root sapsys 4096 May 31 09:39 /home/root/.gnupg
-> Files Under /home/root/.gnupg
-rw------- 1 root sapsys 1280 Sep 13 2011 trustdb.gpg
-rw------- 1 root sapsys 4805 Sep 13 2011 secring.gpg
-r-------- 1 root sapsys 9088 Sep 13 2011 gpg.conf
-rw------- 1 root sapsys 7438 May 21 2013 pubring.gpg~
-rw------- 1 root sapsys 8557 Nov 8 2013 pubring.gpg
-rw------- 1 root sapsys 11 Apr 28
08:44 .#lk200104a8.mxoccsapehpn2.8716480
-rw------- 1 root sapsys 11 Apr 28
08:53 .#lk2000c2c8.mxoccsapehpn2.11141460
-rw------- 1 root sapsys 11 Apr 28
12:00 .#lk200104b8.mxoccsapehpn2.8978598
-rw------- 1 root sapsys 11 Apr 29
08:57 .#lk2000c2c8.mxoccsapehpn2.12911042
-rw------- 1 root sapsys 11 May 2
11:32 .#lk200104b8.mxoccsapehpn2.10748294
-rw------- 1 root sapsys 11 May 2
19:34 .#lk200104b8.mxoccsapehpn2.7471568
-rw------- 1 root sapsys 11 May 2
22:23 .#lk2000c328.mxoccsapehpn2.12058746
-rw------- 1 root sapsys 11 May 2
23:46 .#lk200104b8.mxoccsapehpn2.6750230
-rw------- 1 root sapsys 11 May 3
10:28 .#lk200104b8.mxoccsapehpn2.14221392
-rw------- 1 root sapsys 11 May 3
13:45 .#lk200104b8.mxoccsapehpn2.9240874
-rw------- 1 root sapsys 600 May 31 09:39 random_seed
->Permissions under user "ehpadm"
drwx------ 2 ehpadm sapsys 4096 May 31
09:48 /home/ehpadm/.gnupg
-> Files Under /home/ehpadm/.gnupg
-rw------- 1 ehpadm sapsys 1200 May 3 21:54 trustdb.gpg
-rw------- 1 ehpadm sapsys 7438 May 3 21:54 pubring.gpg~
-rw------- 1 ehpadm sapsys 8557 May 3 21:54 pubring.gpg
-rw------- 1 ehpadm sapsys 4805 May 3 21:54 secring.gpg
-rw------- 1 ehpadm sapsys 11 May 3
22:03 .#lk200104b8.mxoccsapehpn2.6488076
-rw------- 1 ehpadm sapsys 9029 May 4 11:18 gpg.conf
-rw------- 1 ehpadm sapsys 11 May 4
13:43 .#lk2000c328.mxoccsapehpn2.6160766
-rw------- 1 ehpadm sapsys 11 May 4
13:55 .#lk2000c328.mxoccsapehpn2.8913004
-rw------- 1 ehpadm sapsys 11 May 4
15:55 .#lk2000c328.mxoccsapehpn2.12976528
-rw------- 1 ehpadm sapsys 11 May 4
17:58 .#lk2000c328.mxoccsapehpn2.10158578
-rw------- 1 ehpadm sapsys 11 May 4
18:06 .#lk2000c328.mxoccsapehpn2.5308674
-rw------- 1 ehpadm sapsys 0 May 31 10:00 random_seed
#### Test 1 ##### -------Failed Test
->Created file name "testehpadm" in ehpadm home directory
-rw-r--r-- 1 ehpadm sapsys 6 May 31
10:06 /home/ehpadm/testehpadm
-> Invoke GPG progrma using below command
/opt/freeware/gnupg/bin/gpg -v -u cxcxmxmt-py -se --armor
--output /home/ehpadm/testehpadm.pgp -r HSBCnet******2020-07-20
--trust-model always /home/ehpadm/testehpadm
-> Output of command
gpg: using subkey B6BC9FE5 instead of primary key D8F5ECAE
gpg: No trust check due to `--trust-model always' option
gpg: writing to `/home/ehpadm/testehpadm.pgp'
-> command is not exiting , we have to forecfully kill the command every
time and file generated by PGP is zero bytes
-rw-r--r-- 1 ehpadm sapsys 0 May 31
10:06 /home/ehpadm/testehpadm.pgp
#### Test 2 ##### --------Successful Test
->Created file name "testroot" in root home directory
-rw-r--r-- 1 root system 7 May 31
10:11 /home/root/testroot
-> Invoke GPG progrma using below command
/opt/freeware/gnupg/bin/gpg -v -u cxcxmxmt-py -se --armor
--output /home/root/testroot.pgp -r HSBCnet******2020-07-20 --trust-model
always /home/root/testroot
-> Output of command
gpg: using subkey B6BC9FE5 instead of primary key D8F5ECAE
gpg: No trust check due to `--trust-model always' option
gpg: writing to `/home/root/testroot.pgp'
gpg: RSA/AES256 encrypted for: "B6BC9FE5 HSBCnet******2020-07-20"
gpg: RSA/SHA1 signature from: "5FBFB2DF cxcxmxmt-py (exp:2026-07-22)"
Test completed successfully with no errors
-rw-r--r-- 1 root system 1649 May 31
10:12 /home/root/testroot.pgp
#### Test 3 ##### ---------Test is successful but giving some error
->Created file name "testehpadm" in ehpadm home directory
-rw-r--r-- 1 ehpadm sapsys 6 May 31
10:06 /home/ehpadm/testehpadm
-> Changed the owner of "random seed" file to root so that ehpadm can not
write to random_seed file
-rw------- 1 root system 0 May 31
10:00 /home/ehpadm/.gnupg/random_seed
-> Invoke GPG progrma using below command
/opt/freeware/gnupg/bin/gpg -v -u cxcxmxmt-py -se --armor
--output /home/ehpadm/testehpadm.pgp -r HSBCnet******2020-07-20
--trust-model always /home/ehpadm/testehpadm
-> Output of command
gpg: using subkey B6BC9FE5 instead of primary key D8F5ECAE
gpg: No trust check due to `--trust-model always' option
File `/home/ehpadm/testehpadm.pgp' exists. Overwrite? (y/N) y
gpg: writing to `/home/ehpadm/testehpadm.pgp'
gpg: can't open `/home/ehpadm/.gnupg/random_seed': Permission denied
gpg: RSA/AES256 encrypted for: "B6BC9FE5 HSBCnet******2020-07-20"
gpg: RSA/SHA1 signature from: "5FBFB2DF cxcxmxmt-py (exp:2026-07-22)"
gpg: note: random_seed file not updated
-> command is exiting successfully , but below errors are coming
gpg: can't open `/home/ehpadm/.gnupg/random_seed': Permission denied
gpg: note: random_seed file not updated
Encrypted file is generated
-rw-r--r-- 1 ehpadm sapsys 1654 May 31
10:25 /home/ehpadm/testehpadm.pgp
So when we have original random seed file in home directory of ehpadm user,
gpg encryption program is not working and when we change the owner of this
file and make root as the owner gpg
is bypassing this file and it generated the encypted file with below error
as in TEST 3
gpg: can't open `/home/ehpadm/.gnupg/random_seed': Permission denied
gpg: note: random_seed file not updated
Regards,
ANKIT BHARDWAJ
SME - AIX
Mobile: 91-9000-146341 IBM
E-mail: ankit.bhardwaj3 at in.ibm.com
From: Carlos Alberto Moreno Torres/Mexico/Contr/IBM
To: Ankit Bhardwaj5/India/IBM at IBMIN
Cc: "Juan Carlos Garcia" <juancarlos.garcia at ext.cemex.com>,
Srinivas Masetty/India/IBM at IBMIN, Ajay B
Challa/India/IBM at IBMIN, Samuel Ramos Javier/Mexico/IBM at IBMMX,
"Samuel Mizrain Ramos Javier"
<samuelmizrain.ramos at ext.cemex.com>, Ivan Fernando Montes de
Oca Tavera/Mexico/Contr/IBM at IBMMX
Date: 05/31/2016 07:11 PM
Subject: Fw: GnuPG - Encryption process issues.
Hi Ankit,
Please confirm if information provided by GnuPG Support Team lead us to a
specific Root Cause or if more details are required, since issue can occur
again, generating another RCA with higher visibility.
Thanks in advance.
Carlos A. Moreno Torres
Problem Management | CEMEX
Global Technology Services | IBM Corporation
Office: (+52-81) 8328-5251 IBM
E-mail: cmorenot at mx1.ibm.com Av. Constitución No. 444 Pte.
IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b Monterrey, NL 64000
México
----- Forwarded by Carlos Alberto Moreno Torres/Mexico/Contr/IBM on
05/31/2016 08:36 AM -----
From: Carlos Alberto Moreno Torres/Mexico/Contr/IBM
To: "Juan Carlos Garcia" <juancarlos.garcia at ext.cemex.com>, Juan
Carlos Garcia Dominguez/Mexico/Contr/IBM at IBMMX, Ankit
Bhardwaj5/India/IBM at IBMIN
Cc: Samuel Ramos Javier/Mexico/IBM at IBMMX, "Samuel Mizrain Ramos
Javier" <samuelmizrain.ramos at ext.cemex.com>, Ivan Fernando
Montes de Oca Tavera/Mexico/Contr/IBM at IBMMX
Date: 05/27/2016 03:05 PM
Subject: Fw: GnuPG - Encryption process issues.
FYI
Carlos A. Moreno Torres
Problem Management | CEMEX
Global Technology Services | IBM Corporation
Office: (+52-81) 8328-5251 IBM
E-mail: cmorenot at mx1.ibm.com Av. Constitución No. 444 Pte.
IBM @ CEMEX Collaboration HUB: ibm.biz/Bdx93b Monterrey, NL 64000
México
----- Forwarded by Carlos Alberto Moreno Torres/Mexico/Contr/IBM on
05/27/2016 03:04 PM -----
From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
To: Carlos Alberto Moreno Torres/Mexico/Contr/IBM at IBMMX,
gnupg-users at gnupg.org
Date: 05/27/2016 10:32 AM
Subject: Re: GnuPG - Encryption process issues.
On Tue 2016-05-24 16:09:21 -0400, Carlos Alberto Moreno Torres wrote:
> In recent days, Human Resources Department had some issues while using
the
> Encryption Program GnuPG in payroll activities, this issue caused a delay
> since files where encrypted but information was in blank (like if
> encryption process did not finish.)
>
> As part of remediation process, we found out that it could only work with
> Root Permissions but not with the current user. We want to confirm how
does
> the encryption process works and if you can share any thoughts of what
> might could happen. If you require more information, please do not
hesitate
> to ask me.
It sounds to me like the installation of gnupg that you are using is
misconfigured. GnuPG depends heavily on a "keyring" -- a collection of
public key material (and sometimes private key material, if decryption
or signing is needed), which it maintains in the .gnupg directory within
the running user's home directory (found by the environment variable
$HOME).
If you've started with a normal user account, but have then run gnupg as
root (e.g. using "su") without resetting $HOME to root's actual homedir
(usually /root on the systems i use), then it's possible that you've
created ~/.gnupg with the wrong permissions.
Or, it's possible that the .gnupg directory is *only* available within
root's homedir.
Does your non-privileged user have a ~/.gnupg directory? if so, does it
have read and write access to it?
What error messages do you get from invoking gpg directly?
--dkg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160531/4e15ec0b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 06468598.gif
Type: image/gif
Size: 2022 bytes
Desc: not available
URL: </pipermail/attachments/20160531/4e15ec0b/attachment-0002.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: </pipermail/attachments/20160531/4e15ec0b/attachment-0003.gif>
More information about the Gnupg-users
mailing list