[gpg-agent] Empty OPTION xauthority=
Matěj Cepl
mcepl at cepl.eu
Sun Mar 3 20:41:21 CET 2024
On Sun Mar 3, 2024 at 10:05 AM CET, Werner Koch wrote:
> > am running it on host with systemd --user services (configuration
>
> Take care, the use of systemd is racy and support will be removed in
> 2.6.
1. Could you please explain why it is racy? Why from all services
only gpg is unsuitable for systemd treatment? It is just one
socket as any other, isn’t it? Could you point to some issue
ticket, email thread, blog post explaining the problem?
2. When running on MicroOS system (or Fedora Atomic) how could
you guarantee that there is only one gpg-agent and gpg
doesn't try to run it inside of a container, thus making it
inacessible to other containers on the system (Flatpak or
podman) and to the host system? I don't see any other solution
than running permanently one gpg-agent on the host system open
to everybody, which systemd --user service seems to provide
nicely.
> gpg takes the value for xauthority from the envvar XAUTHORITY. In your
> case it seems that this envvar is set to the empty string which results
> in the above synax error. Using xauthority without a value and thus
> without the '=' removes the value from gpg-agent's environment.
Yes, thank you for kicking me in the right
direction, I found a bug in distrobox
(https://github.com/89luca89/distrobox/pull/1252).
> In theory it would be possible to ignore the empty string but given that
> we have the code this way for 20 year the risk of a regression is to
> high.
What? You know there is a vulnerability in gpg (actually,
couldn't the particularly modified environment be abused for some
DoD style attack?) and you don't want to fix it, because you had
that bug there long enough? I probably do not understand what you
were trying to say.
> Please figure out why XAUTHORITY is set to the empty sting.
> XAUTHORITY is only needed if you don't use ~/.Xauthority to store the
> X11 magic cookies; see xauth(1).
I have Wayland-only system (based on sway), so whole XAUTH*
variables are nonsensical here.
Best,
Matěj
--
http://matej.ceplovi.cz/blog/, @mcepl at floss.social
GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8
Monday, December 9th. We skip the bus tour of Stockholm to attend
the economics lecture. Our guest status is again good for front
row seats. We hear about the theory of auctions. There are
integrals and derivatives. It’s like physics except physics
works.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 216 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240303/9c2e9e1b/attachment.sig>
More information about the Gnupg-users
mailing list