Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-10718

Search for an agent socket in /run/gnupg/user before /run/user

    • Icon: Story Story
    • Resolution: Won't Do
    • Icon: Undefined Undefined
    • rhel-8.10
    • rhel-8.8.0
    • gnupg2
    • None
    • rhel-sst-security-crypto
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None

      I'd like gnugp2 to be built with --enable-run-gnupg-user-socket configure option. This is not true as of the latest RHEL-8 build gnupg2-2.2.20-3.el8_6.

      libdnf and librepo need it for RHEL-6421. In short libdnf and librepo creates /run/user/${UID} directory to let gpg to create a gpg-agent named socket there rather than in a GPG home path. The reason why DNF wanted the socket there is using DNF from a container builders which do not support named socket files (https://bugzilla.redhat.com/show_bug.cgi?id=1769831, https://bugzilla.redhat.com/show_bug.cgi?id=1781601). However, we got a report that if DNF is executed by an Insights client, the directory is created with a SELinux label which does not match what systemd-logind needs (RHEL-6421). Therefore I'd like to utilize a different path which does not clash systemd.

      The --enable-run-gnupg-user-socket option enhances gpg to first try /run/gnupg/${UID} path, then /run/user/${UID}, and finally a GPG home path. See _gnupg_socketdir_internal() in common/homedir.c:

        static const char * const bases[] = {
      #ifdef USE_RUN_GNUPG_USER_SOCKET
          "/run/gnupg",
      #endif
          "/run",
      #ifdef USE_RUN_GNUPG_USER_SOCKET
          "/var/run/gnupg",
      #endif
          "/var/run",
          NULL
        };
      

      Because the path does not exist by default and it can be create only by a superuser, enabling the option is a low risk for normal GnuPG use cases as in most cases the new path will be simply skipped.

              jjelen@redhat.com Jakub Jelen
              rhn-support-ppisar Petr Pisar
              Jakub Jelen Jakub Jelen
              Stanislav Zidek Stanislav Zidek
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: