ports/60916: BitchX changes ownership of GPG public key file

Mon Jan 5 06:20:16 UTC 2004

>Number:         60916
>Category:       ports
>Synopsis:       BitchX changes ownership of GPG public key file
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jan 04 22:20:08 PST 2004
>Closed-Date:
>Last-Modified:
>Originator:     abowhill at blarg.net
>Release:        FreeBSD 4.9-STABLE i386
>Organization:
n/a
>Environment:
System: FreeBSD kosmos.my.net 4.9-STABLE FreeBSD 4.9-STABLE #0: Thu Dec 4 19:37:49 PST 2003 root at kosmos.my.net:/usr/obj/usr/src/sys/KOSMOS i386


>Description:
        If you use sudo to issue commands as root, and have a GPG (GNU
        PGP installed on the system, installing BitchX from ports will
        change the ownership of your pubring.gpg to root, temporarily
        disabling GPG functionality.

	Also, a public key is added to the keyring without asking.
>How-To-Repeat:
        1.) install sudo
        2.) configure an account "someuser". Add into group wheel.
        3.) as root, install /usr/ports/security/sudo
        4.) as root, add someuser as a sudoer with root access
            Use visudo to add the line:
                someuser        All=(ALL) ALL
            under the "User privilige specification" heading
        4.) as root, install and configure /usr/ports/security/gnupg
        5.) as someuser, generate a gpg keypair, using:
                gpg --gen-key

        %pwd
        /usr/home/someuser
        %ls -alt .gnupg/
        total 20
        drwx------  2 someuser  wheel   512 Jan  4 20:59 .
        -rw-------  1 someuser  wheel  1240 Jan  4 20:59 trustdb.gpg
        -rw-------  1 someuser  wheel   600 Jan  4 20:59 random_seed
        -rw-------  1 someuser  wheel  1062 Jan  4 20:59 secring.gpg
        -rw-------  1 someuser  wheel   924 Jan  4 20:59 pubring.gpg
        drwxr-xr-x  3 someuser  wheel   512 Jan  4 20:57 ..
        -rw-------  1 someuser  wheel     0 Jan  4 20:57 pubring.gpg~
        -rw-------  1 someuser  wheel  8075 Jan  4 20:57 gpg.conf

        
        %gpg --list-keys
        gpg: WARNING: using insecure memory!
        gpg: please see http://www.gnupg.org/faq.html for more information
        /home/someuser/.gnupg/pubring.gpg
        ---------------------------------
        pub  1024D/BD8FF700 2004-01-05 Some User (bloke) <someuser at mynet.net>
        sub  1024g/73C489C3 2004-01-05 [expires: 2004-01-07]

        
        6.) as someuser->sudo->root install /usr/ports/irc/bitchx
        
	> whoami
	someuser 
        > cd /usr/ports/irc/bitchx
        > sudo make install clean

        7. check permissions on files in ~someuser/.gnupg
        > ls -lat ~/.gnupg
        total 24
        drwx------  2 someuser  wheel   512 Jan  4 21:11 .
        -rw-------  1 someuser  wheel  1280 Jan  4 21:11 trustdb.gpg
        -rw-------  1 root      wheel  2276 Jan  4 21:11 pubring.gpg
        -rw-------  1 someuser  wheel   600 Jan  4 20:59 random_seed
        -rw-------  1 someuser  wheel  1062 Jan  4 20:59 secring.gpg
        -rw-------  1 someuser  wheel   924 Jan  4 20:59 pubring.gpg~
        drwxr-xr-x  3 someuser  wheel   512 Jan  4 20:57 ..
        -rw-------  1 someuser  wheel  8075 Jan  4 20:57 gpg.conf

        8.) list keys

        > gpg --list-keys
        gpg: WARNING: using insecure memory!
        gpg: please see http://www.gnupg.org/faq.html for more information
        gpg: can't open `/home/someuser/.gnupg/pubring.gpg'
        gpg: keydb_search_first failed: file open error

>Fix:

        The problem is under the pre-extract section in the Makefile for
        bitchx. The Makefile should probably ask before adding a key,
        but aside from that, the permission change problem might be
        fixed by using su in some creative way like:

        .if defined(SUDO_USER)
                @${ECHO_CMD} "===> Using Sudo to verify GnuPG signatures."
                su $(SUDO_USER) -c 'gpg --keyserver pgp.mit.edu --recv-key 42D1F77C'
        .endif

        Workaround: 
        
        1.) as someuser:
        
        cd ~/.gnupg
        sudo chown someuser pubring.gpg
        gpg --list-keys
        > gpg --list-keys

        gpg: WARNING: using insecure memory!
        gpg: please see http://www.gnupg.org/faq.html for more information
        /home/someuser/.gnupg/pubring.gpg
        ---------------------------------
        pub  1024D/BD8FF700 2004-01-05 Some User (bloke) <someuser at mynet.net>
        sub  1024g/73C489C3 2004-01-05 [expires: 2004-01-07]

        pub  1024D/42D1F77C 2003-04-14 Rob Andrews (BitchX FTP Site Administrator) <sin at bitchx.org>
        sub  2048g/7ADE46D5 2003-04-14 [expires: 2004-04-13]
>Release-Note:
>Audit-Trail:
>Unformatted: