ports/60916: BitchX changes ownership of GPG public key file
kosmos
abowhill at blarg.net
Mon Jan 5 06:20:16 UTC 2004
>Number: 60916
>Category: ports
>Synopsis: BitchX changes ownership of GPG public key file
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Jan 04 22:20:08 PST 2004
>Closed-Date:
>Last-Modified:
>Originator: abowhill at blarg.net
>Release: FreeBSD 4.9-STABLE i386
>Organization:
n/a
>Environment:
System: FreeBSD kosmos.my.net 4.9-STABLE FreeBSD 4.9-STABLE #0: Thu Dec 4 19:37:49 PST 2003 root at kosmos.my.net:/usr/obj/usr/src/sys/KOSMOS i386
>Description:
If you use sudo to issue commands as root, and have a GPG (GNU
PGP installed on the system, installing BitchX from ports will
change the ownership of your pubring.gpg to root, temporarily
disabling GPG functionality.
Also, a public key is added to the keyring without asking.
>How-To-Repeat:
1.) install sudo
2.) configure an account "someuser". Add into group wheel.
3.) as root, install /usr/ports/security/sudo
4.) as root, add someuser as a sudoer with root access
Use visudo to add the line:
someuser All=(ALL) ALL
under the "User privilige specification" heading
4.) as root, install and configure /usr/ports/security/gnupg
5.) as someuser, generate a gpg keypair, using:
gpg --gen-key
%pwd
/usr/home/someuser
%ls -alt .gnupg/
total 20
drwx------ 2 someuser wheel 512 Jan 4 20:59 .
-rw------- 1 someuser wheel 1240 Jan 4 20:59 trustdb.gpg
-rw------- 1 someuser wheel 600 Jan 4 20:59 random_seed
-rw------- 1 someuser wheel 1062 Jan 4 20:59 secring.gpg
-rw------- 1 someuser wheel 924 Jan 4 20:59 pubring.gpg
drwxr-xr-x 3 someuser wheel 512 Jan 4 20:57 ..
-rw------- 1 someuser wheel 0 Jan 4 20:57 pubring.gpg~
-rw------- 1 someuser wheel 8075 Jan 4 20:57 gpg.conf
%gpg --list-keys
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
/home/someuser/.gnupg/pubring.gpg
---------------------------------
pub 1024D/BD8FF700 2004-01-05 Some User (bloke) <someuser at mynet.net>
sub 1024g/73C489C3 2004-01-05 [expires: 2004-01-07]
6.) as someuser->sudo->root install /usr/ports/irc/bitchx
> whoami
someuser
> cd /usr/ports/irc/bitchx
> sudo make install clean
7. check permissions on files in ~someuser/.gnupg
> ls -lat ~/.gnupg
total 24
drwx------ 2 someuser wheel 512 Jan 4 21:11 .
-rw------- 1 someuser wheel 1280 Jan 4 21:11 trustdb.gpg
-rw------- 1 root wheel 2276 Jan 4 21:11 pubring.gpg
-rw------- 1 someuser wheel 600 Jan 4 20:59 random_seed
-rw------- 1 someuser wheel 1062 Jan 4 20:59 secring.gpg
-rw------- 1 someuser wheel 924 Jan 4 20:59 pubring.gpg~
drwxr-xr-x 3 someuser wheel 512 Jan 4 20:57 ..
-rw------- 1 someuser wheel 8075 Jan 4 20:57 gpg.conf
8.) list keys
> gpg --list-keys
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: can't open `/home/someuser/.gnupg/pubring.gpg'
gpg: keydb_search_first failed: file open error
>Fix:
The problem is under the pre-extract section in the Makefile for
bitchx. The Makefile should probably ask before adding a key,
but aside from that, the permission change problem might be
fixed by using su in some creative way like:
.if defined(SUDO_USER)
@${ECHO_CMD} "===> Using Sudo to verify GnuPG signatures."
su $(SUDO_USER) -c 'gpg --keyserver pgp.mit.edu --recv-key 42D1F77C'
.endif
Workaround:
1.) as someuser:
cd ~/.gnupg
sudo chown someuser pubring.gpg
gpg --list-keys
> gpg --list-keys
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
/home/someuser/.gnupg/pubring.gpg
---------------------------------
pub 1024D/BD8FF700 2004-01-05 Some User (bloke) <someuser at mynet.net>
sub 1024g/73C489C3 2004-01-05 [expires: 2004-01-07]
pub 1024D/42D1F77C 2003-04-14 Rob Andrews (BitchX FTP Site Administrator) <sin at bitchx.org>
sub 2048g/7ADE46D5 2003-04-14 [expires: 2004-04-13]
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list