-
Story
-
Resolution: Won't Do
-
Undefined
-
rhel-9.3.0
-
None
-
None
-
rhel-sst-security-crypto
-
ssg_security
-
None
-
False
-
-
None
-
None
-
None
I'd like gnugp2 to be built with --enable-run-gnupg-user-socket configure option. This is not true as of the latest RHEL-8 build gnupg2-2.2.20-3.el8_6.
libdnf and librepo need it for RHEL-6421. In short libdnf and librepo creates /run/user/${UID} directory to let gpg to create a gpg-agent named socket there rather than in a GPG home path. The reason why DNF wanted the socket there is using DNF from a container builders which do not support named socket files (https://bugzilla.redhat.com/show_bug.cgi?id=1769831, https://bugzilla.redhat.com/show_bug.cgi?id=1781601). However, we got a report that if DNF is executed by an Insights client, the directory is created with a SELinux label which does not match what systemd-logind needs (RHEL-6421). Therefore I'd like to utilize a different path which does not clash systemd.
The --enable-run-gnupg-user-socket option enhances gpg to first try /run/gnupg/${UID} path, then /run/user/${UID}, and finally a GPG home path. See _gnupg_socketdir_internal() in common/homedir.c:
static const char * const bases[] = { #ifdef USE_RUN_GNUPG_USER_SOCKET "/run/gnupg", #endif "/run", #ifdef USE_RUN_GNUPG_USER_SOCKET "/var/run/gnupg", #endif "/var/run", NULL };
Because the path does not exist by default and it can be create only by a superuser, enabling the option is a low risk for normal GnuPG use cases as in most cases the new path will be simply skipped.
RHEL 9 is also affected (gnupg2-2.3.3-4.el9.x86_64).
- clones
-
RHEL-10718 Search for an agent socket in /run/gnupg/user before /run/user
- Closed