GnuPG and SSH_AUTH_SOCK value

Steffen Nurpmeso steffen at sdaoden.eu
Fri Jun 28 19:07:18 CEST 2019 

Daniel Kahn Gillmor via Gnupg-users wrote in <87ftnup18e.fsf at fifthhorsem\
an.net>:
 |On Fri 2019-06-28 10:04:44 +0200, Michael Kesper wrote:
 |> On 23.06.19 12:21, Matthias Apitz wrote:
 |>> I'm used to use 'startx' and ~/.xinitrc to bring up Xorg+KDE:
 |>
 |> This makes your setup depend on a suid binary.
 |
 |Can you give more details?  I know that some older systems did rely on X
 |or startx or something being setuid, but i think more modern systems
 |don't require that.  On a debian testing (buster) system, for example, i
 |don't believe that any of the binaries are suid.

..because some packagers do CRUX to avoid it, maybe because they
do not want to violate some policy.
For example, for the MUA i maintain, Debian ships with the
privilege-separated "dotlock" helper, but does not install it
SETUID.  This is good enough for the shared mail directory the way
Debian does it, in fact the package maintainer is pretty clever,
right, but of course this is not how it is designed; today: it was
a SETGID helper in the past, but that does not work on eg. OpenBSD
where only root can write in the mail spool.  And since this MUA
supports multiple mail spools, it will not work unless they are
setup in exactly the same way.  But only normal file-locking, as
is the chosen approach on OpenBSD (for my MUA), is not the way the
Debian maintainer wants to go.  Well, this is his choice.

(Besides i am in total favour of not having SETUID, not only
because i had a CVE myself.  Here Xorg still is SETUID, but i have
never looked too deep.  For graphics hardware access, you need to
have access to hardware, no.  Ie., whether hardware is designed so
that this becomes possible, i do not know.  Being able to start
a program SETUID, open some files, and then enter a restricted
mode which has lost root rights, i do not feel bad about.  Like
the FreeBSD capsicum thing, or even CloudABI.  Maybe i even prefer
being able to search SETUID and have a list, instead of having
very complicated configuration settings, and CRUX, hidden here and
there.  But i am not a security researcher, i just try to do
a little thing right.)

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

More information about the Gnupg-users mailing list