Mailing List Archive: Gnupg on openbsd with enigma rouncube plugin

Gnupg on openbsd with enigma rouncube plugin

gnupg-users at gnupg

Sep 24, 2022, 4:19 PM

Post #1 of 6 (434 views)

Hello,
My goal is to use the enigma plugin that is part of roundcube webmail.
I get this error output[18-Sep-2022 00:41:46 +0200]: <e9n8l1qh> GPG: /bin/gpg2 --status-fd '3' --command-fd '4' --no-secmem-warning --no-tty --no-default-keyring --no-options --no-permission-warning --exit-on-status-write-error --trust-model always --pinentry-mode loopback --ignore-time-conflict --ignore-valid-from --with-colons --with-fingerprint --with-fingerprint --fixed-list-mode --homedir '/enigma/myemail@mydomain.org' --utf8-strings --list-secret-keys -- 'myemail@mydomain.org'
[18-Sep-2022 00:41:46 +0200]: <e9n8l1qh> GPG: BEGIN PROCESSING
[18-Sep-2022 00:41:46 +0200]: <e9n8l1qh> GPG: selecting streams
[18-Sep-2022 00:41:46 +0200]: <e9n8l1qh> GPG: => got 1
[18-Sep-2022 00:41:46 +0200]: <e9n8l1qh> GPG: GPG error stream ready for reading
[18-Sep-2022 00:41:46 +0200]: <e9n8l1qh> GPG: => about to read 65536 bytes from GPG error
[18-Sep-2022 00:41:46 +0200]: <e9n8l1qh> GPG: => read 61 bytes
[18-Sep-2022 00:41:46 +0200]: <e9n8l1qh> GPG: selecting streams
[18-Sep-2022 00:41:46 +0200]: <e9n8l1qh> GPG: => got 1
[18-Sep-2022 00:41:46 +0200]: <e9n8l1qh> GPG: GPG error stream ready for reading
[18-Sep-2022 00:41:46 +0200]: <e9n8l1qh> GPG: => about to read 65536 bytes from GPG error
[18-Sep-2022 00:41:46 +0200]: <e9n8l1qh> GPG: => read 1 bytes
[18-Sep-2022 00:41:46 +0200]: <e9n8l1qh> GPG: ERROR: gpg: Fatal: failed to open '/dev/null': Device not configured
[18-Sep-2022 00:41:46 +0200]: <e9n8l1qh> GPG: selecting streams
Soa) When I launch this commandgpg2 --status-fd '3' --command-fd '4' --no-secmem-warning --no-tty --no-default-keyring --no-options --no-permission-warning --exit-on-status-write-error --trust-model always --pinentry-mode loopback --ignore-time-conflict --ignore-valid-from --with-colons --with-fingerprint --with-fingerprint --fixed-list-mode --homedir '/enigma/myemail@mydomain.org' --utf8-strings --list-secret-keys -- 'myemail@mydomain.org'I have this error gpg: Fatal: status-fd is invalid: Bad file descriptor

If ! remove --status-fd I have this errorgpg: command-fd is invalid: Bad file descriptor
b) I found this post on the openbsd mailling listhttps://misc.openbsd.narkive.com/BLr2vq7b/roundcube-and-enigma-pgp
Where they say"it would be better if the code were changed to use the arc4random() family of functions, which avoid the need for this" (this = /dev/urandom I guess)

In point a) why do i have these errors related to status-fd and command-fdIn point b) gnupg cannot use arc4random() to get its entropy ? Is there any plans to implement that ?
Regards

Re: Gnupg on openbsd with enigma rouncube plugin [ In reply to ]

Sep 25, 2022, 4:33 AM

Post #2 of 6 (434 views)

On Sat, Sep 24, 2022 at 11:19:32PM +0000, Mik J via Gnupg-users wrote:
> Hello,
> My goal is to use the enigma plugin that is part of roundcube webmail.
> I get this error output[18-Sep-2022 00:41:46 +0200]: <e9n8l1qh>
[...]
> [18-Sep-2022 00:41:46 +0200]: <e9n8l1qh> GPG: ERROR: gpg: Fatal: failed to open '/dev/null': Device not configured

OpenBSD isolates the web server in a chroot at /var/www . So you will
have to create /var/www/dev and put some devices there.

[...]
> b) I found this post on the openbsd mailling listhttps://misc.openbsd.narkive.com/BLr2vq7b/roundcube-and-enigma-pgp
> Where they say"it would be better if the code were changed to use the arc4random() family of functions, which avoid the need for this" (this = /dev/urandom I guess)

They also say you can create the /var/www/dev/urandom device and make
sure that the partition that /var is in is not mounted with the
"nodev" option.

Bruce

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gnupg on openbsd with enigma rouncube plugin [ In reply to ]

gnupg-users at gnupg

Sep 25, 2022, 5:02 AM

Post #3 of 6 (434 views)

Hello Bruce,
Yes I read all of that.
But for point a) I started the command gpg2 --status-fd '3' --command-fd '4' ... out of the chrootFor point b) they recommand not to use urandom, that's why I asked the question about arc4random()
Regards

Le dimanche 25 septembre 2022 à 13:33:05 UTC+2, Bruce Walzer <bwalzer@59.ca> a écrit :

On Sat, Sep 24, 2022 at 11:19:32PM +0000, Mik J via Gnupg-users wrote:
> Hello,
> My goal is to use the enigma plugin that is part of roundcube webmail.
> I get this error output[18-Sep-2022 00:41:46 +0200]: <e9n8l1qh>
[...]
> [18-Sep-2022 00:41:46 +0200]: <e9n8l1qh> GPG: ERROR: gpg: Fatal: failed to open '/dev/null': Device not configured

OpenBSD isolates the web server in a chroot at /var/www . So you will
have to create /var/www/dev and put some devices there.

[...]
> b) I found this post on the openbsd mailling listhttps://misc.openbsd.narkive.com/BLr2vq7b/roundcube-and-enigma-pgp
> Where they say"it would be better if the code were changed to use the arc4random() family of functions, which avoid the need for this" (this = /dev/urandom I guess)

They also say you can create the /var/www/dev/urandom device and make
sure that the partition that /var is in is not mounted with the
"nodev" option.

Bruce

Re: Gnupg on openbsd with enigma rouncube plugin [ In reply to ]

Sep 25, 2022, 3:30 PM

Post #4 of 6 (434 views)

On 2022-09-25 at 12:02 +0000, Mik J wrote:
> Hello Bruce,
>
> Yes I read all of that.
>
> But for point a) I started the command gpg2 --status-fd '3' --
> command-fd '4' ... out of the chroot

--status-fd and --command-fd are arguments used to direct gpg to use
different file descriptors (3 and 4, here) to handle status and
commands. Since you are not opening such file descriptors when running
it standalone, gpg complains. It's normal.
If you want to run it manually, you should remove both --status-fd 3
and --command-fd 4

> For point b) they recommand not to use urandom, that's why I asked
> the question about arc4random()
>
> Regards

You would need to recompile gpg with that change / convince the OpenBSD
maintainer of gpg to patch it to use arc4random() instead.

My recommendation: create the /dev nodes inside the chroot

Regards

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gnupg on openbsd with enigma rouncube plugin [ In reply to ]

gnupg-users at gnupg

Sep 25, 2022, 3:36 PM

Post #5 of 6 (434 views)

Thank you Angel for these explanations.

Le lundi 26 septembre 2022 à 00:34:12 UTC+2, Ángel <angel@pgp.16bits.net> a écrit :

On 2022-09-25 at 12:02 +0000, Mik J wrote:
> Hello Bruce,
>
> Yes I read all of that.
>
> But for point a) I started the command gpg2 --status-fd '3' --
> command-fd '4' ... out of the chroot

--status-fd and --command-fd are arguments used to direct gpg to use
different file descriptors (3 and 4, here) to handle status and
commands. Since you are not opening such file descriptors when running
it standalone, gpg complains. It's normal.
If you want to run it manually, you should remove both --status-fd 3
and --command-fd 4

> For point b) they recommand not to use urandom, that's why I asked
> the question about arc4random()
>
> Regards

You would need to recompile gpg with that change / convince the OpenBSD
maintainer of gpg to patch it to use arc4random() instead.

My recommendation: create the /dev nodes inside the chroot

Regards

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Gnupg on openbsd with enigma rouncube plugin [ In reply to ]

gnupg-users at gnupg

Sep 26, 2022, 6:50 AM

Post #6 of 6 (434 views)

On Mon, 26 Sep 2022 00:30, Ángel said:

> You would need to recompile gpg with that change / convince the OpenBSD

Please don't do that. Actually you would have to recompile Libgcrypt.
But don't do that (recompile with changes to the random code).

> My recommendation: create the /dev nodes inside the chroot

Yes. You may also want to run gpg-agent via the agent-extra-socket (see
gpgconf -L) thing for extra security; its not an out of the box feature,
though. gpg-agent takes care of the private keys and having it isolated
from the web server is a Good Thing.

Salam-Shalom,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein