[pkg-gnupg-maint] Bug#367058: problems with misconfigured gnupg-agent and /etc/X11/Xsession.d/90gpg-agent

[Daniel Kahn Gillmor]

Version: 2.1.13-3

On Fri 2014-09-26 17:31:50 -0400, Daniel Kahn Gillmor wrote:
> Reviewing bugs in GnuPG packages, i'm a little worried about
> https://bugs.debian.org/367058 -- it hasn't been resolved in years, and
> it's pretty simple:
>
> On a machine that uses the standard X11 session startup scripts in
> /etc/X11/Xsession.d (this is chosen by
> /etc/alternatives/x-session-manager, i think, and does not include
> gnome-session, but does include openbox-session), a user can lock
> themselves out of X11 entirely with the following changes to their home
> directory:
>
>  echo use-agent >> ~/.gnupg/gpg.conf
>  echo no-such-option >> ~/.gnupg/gpg-agent.conf
>
> I just tried this on a debian unstable system with gdm3 as the display
> manager and x-session-manager pointing to openbox-session.

I'm happy to say that i think this has been resolved in recent versions
of gnupg-agent.  Since the adoption of the standard socket and the
systemd user services (and upstream's auto-launching for non-systemd
machines) were introduced in version 2.1.13-3, the Xsession.d snippet no
longer needs to launch the daemon.

The remaining business of the Xsession.d snippet is to set environment
variables, but those can be pulled directly from gpgconf (which doesn't
return non-zero even when the underlying program it queries does fail
(see the error handling logic in retrieve_options_from_program(), around
line 2156 of tools/gpgconf-comp.c).

So i don't think that a misconfigured gpg-agent.conf file will cause the
same types of login failures as it used to.

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20170205/5ebc9e86/attachment-0001.sig>