using with su/sudo
NIIBE Yutaka
gniibe at fsij.org
Fri Oct 7 04:56:14 CEST 2016
On 10/07/2016 12:21 AM, John Lane wrote:
> The requirement for tty ownership for commands where pinentry is
> required causes problems for shells opened with sudo or su, where
> such commands generally result in a "permission denied" kind of error:
>
> $ gpg -d /tmp/encrypted.asc
> gpg: public key decryption failed: Permission denied
>
> I can use "script" to work around this but it is a bit of a hack that
> relies on the fact that "script" creates a new tty owned by the current
> user:
>
> $ script -q -c 'gpg -d /tmp/encrypted.asc'
>
> Is there a correct way to make gpg play nicely inside su/sudo ?
One possible way is invoking gpg with an option
--pinentry-mode=loopback.
I confirmed this issue with TTY. The cause is that pinentry cannot
open the TTY in question in the situation of its owner is original
user. It's EACCESS (Permission denied) to TTY device when pinentry
tries to open the TTY.
I created a ticket at the bug tracker.
https://bugs.gnupg.org/gnupg/issue2739
With the situation of gpg-agent's allow-loopback-pinentry is default
now, perhaps, it would be the best (from the user's viewpoint) that
gpg-agent automatically fallbacks to loopback mode.
On window system, I think it doesn't work either...
--
More information about the Gnupg-users
mailing list