Mailing List Archive: [gpg-agent] Empty OPTION xauthority=

[gpg-agent] Empty OPTION xauthority=

Mar 2, 2024, 11:54 AM

Post #1 of 7 (109 views)

Hello,

I am running MicroOS-based distro (which means read-only host and all
work done in podman containers using distrobox). Because I am afraid
gpg-agent got confused when it was started from inside a container, I am
running it on host with systemd --user services (configuration according
to https://wiki.archlinux.org/title/GnuPG#gpg-agent). When trying to
decrypt a GPG-encrypted file on host, everything works fine, but when I
try to decrypt a file in a container (or when using pass(1)) suddenly I
get an error (it worked for months before, and I am really not certain
what did change now):

tumbleweed-pkg~$ LANG=en_GB.utf8 gpg --decrypt
~/.local/share/password-store/mozilla/identita.csob.cz.gpg
gpg: encrypted with rsa4096 key, ID 77D15A36BD4211B2, created 2016-04-27
"Mat?j Cepl <mcepl@cepl.eu>"
gpg: Warning: not using 'D96484AC' as default key: No secret key
gpg: Warning: not using '880BC9D8' as default key: No secret key
gpg: all values passed to '--default-key' ignored
gpg: keydb_search failed: IPC syntax error
gpg: public key decryption failed: No secret key
gpg: decryption failed: No secret key
tumbleweed-pkg~$

When looking at log-file I see this:

2024-03-02 10:53:20 gpg-agent[2434] DBG: chan_10 <- OPTION xauthority=
2024-03-02 10:53:20 gpg-agent[2434] DBG: chan_10 -> ERR 67109140 Chyba
syntaxe IPC <GPG agent> - option argument expected
2024-03-02 10:53:20 gpg-agent[2434] DBG: chan_10 <- BYE

(“Chyba syntaxe” means obviously “A syntax error” in Czech). I have to
admit I am a bit lost in that protocol log. Who is sending that “OPTION
xauhtoríty=” line and what should be the right value of it, when running
on Wayland (no Xorg around)?

Thank you for any advice,

Mat?j Cepl

--
http://matej.ceplovi.cz/blog/, @mcepl@floss.social
GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8

[…] sleep is no substitute for caffeine.
-- Robert Storey in review of Debian
(when describing re-compilation of kernel :-))

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [gpg-agent] Empty OPTION xauthority= [ In reply to ]

gnupg-users at gnupg

Mar 3, 2024, 1:05 AM

Post #2 of 7 (109 views)

Permalink

Hi!

On Sat, 2 Mar 2024 20:54, mcepl@cepl.eu said:

> am running it on host with systemd --user services (configuration

Take care, the use of systemd is racy and support will be removed in
2.6.

> gpg: all values passed to '--default-key' ignored
> gpg: keydb_search failed: IPC syntax error

(You may use --debug=ipc alsowith gpg to see what is going on)

> 2024-03-02 10:53:20 gpg-agent[2434] DBG: chan_10 <- OPTION xauthority=

gpg-gent receives this from gpg. Look:

$ gpg-connect-agent
> option xauthority=
ERR 67109140 IPC syntax error <GPG Agent> - option argument expected
> option xauthority
OK

gpg takes the value for xauthority from the envvar XAUTHORITY. In your
case it seems that this envvar is set to the empty string which results
in the above synax error. Using xauthority without a value and thus
without the '=' removes the value from gpg-agent's environment.

In theory it would be possible to ignore the empty string but given that
we have the code this way for 20 year the risk of a regression is to
high. Please figure out why XAUTHORITY is set to the empty sting.
XAUTHORITY is only needed if you don't use ~/.Xauthority to store the
X11 magic cookies; see xauth(1).

Shalom-Salam,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Re: [gpg-agent] Empty OPTION xauthority= [ In reply to ]

mcepl at cepl

Mar 3, 2024, 11:38 AM

Post #3 of 7 (109 views)

Permalink

On Sun Mar 3, 2024 at 10:05 AM CET, Werner Koch wrote:
> > am running it on host with systemd --user services (configuration
>
> Take care, the use of systemd is racy and support will be removed in
> 2.6.

1. Could you please explain why it is racy? Why from all services
only gpg is unsuitable for systemd treatment? It is just one
socket as any other, isn’t it? Could you point to some issue
ticket, email thread, blog post explaining the problem?
2. When running on MicroOS system (or Fedora Atomic) how could
you guarantee that there is only one gpg-agent and gpg
doesn't try to run it inside of a container, thus making it
inacessible to other containers on the system (Flatpak or
podman) and to the host system? I don't see any other solution
than running permanently one gpg-agent on the host system open
to everybody, which systemd --user service seems to provide
nicely.

> gpg takes the value for xauthority from the envvar XAUTHORITY. In your
> case it seems that this envvar is set to the empty string which results
> in the above synax error. Using xauthority without a value and thus
> without the '=' removes the value from gpg-agent's environment.

Yes, thank you for kicking me in the right
direction, I found a bug in distrobox
(https://github.com/89luca89/distrobox/pull/1252).

> In theory it would be possible to ignore the empty string but given that
> we have the code this way for 20 year the risk of a regression is to
> high.

What? You know there is a vulnerability in gpg (actually,
couldn't the particularly modified environment be abused for some
DoD style attack?) and you don't want to fix it, because you had
that bug there long enough? I probably do not understand what you
were trying to say.

> Please figure out why XAUTHORITY is set to the empty sting.
> XAUTHORITY is only needed if you don't use ~/.Xauthority to store the
> X11 magic cookies; see xauth(1).

I have Wayland-only system (based on sway), so whole XAUTH*
variables are nonsensical here.

Best,

Mat?j

--
http://matej.ceplovi.cz/blog/, @mcepl@floss.social
GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8

Monday, December 9th. We skip the bus tour of Stockholm to attend
the economics lecture. Our guest status is again good for front
row seats. We hear about the theory of auctions. There are
integrals and derivatives. It’s like physics except physics
works.

Re: [gpg-agent] Empty OPTION xauthority= [ In reply to ]

mcepl at cepl

Mar 3, 2024, 11:41 AM

Post #4 of 7 (109 views)

Permalink

Re: [gpg-agent] Empty OPTION xauthority= [ In reply to ]

gnupg-users at gnupg

Mar 4, 2024, 12:13 AM

Post #5 of 7 (109 views)

Permalink

On Sun, 3 Mar 2024 20:38, Mat?j Cepl said:

> 1. Could you please explain why it is racy? Why from all services

Because all components of gnupg will start gpg-agent and the other
daemons oin the fly and make sure that only one is started. Systemd
does not know about this specific start mechanism and thus you might see
two daemon processes for some time until their self-check detects this
situation. In most cases this is just a annoying but it may very well
happen that the two processes receove different information and are not
abale to properly handle the caching. With smartcards you may also run
into lockups becuase only one process may hold access to a smartcard.
With keyboxd we even didn't implement the systemd start thingy because
keyboxd acquires a process lifetime lock on the database and thus a
second process won't be abale to get that lock and timeout after some
time.

> 2. When running on MicroOS system (or Fedora Atomic) how could
> you guarantee that there is only one gpg-agent and gpg
> doesn't try to run it inside of a container, thus making it

I have no idea what this is about. In case you need to play interesting
games with the sockets, the gpgconf.ctl mechanism might be helpful.

Using no-autostart in the common.conf might be useful. We use it always
when running a remote gpg.

> What? You know there is a vulnerability in gpg (actually,
> couldn't the particularly modified environment be abused for some

Please read again what I wrote: An empty string for the value is simply
invalid syntax. That is different from not giving a value which is
specified as removing the envvar (cf. "" vs. NULL).

> I have Wayland-only system (based on sway), so whole XAUTH*
> variables are nonsensical here.

Others might be:

$ gpg-connect-agent 'getinfo std_env_names' /bye
D GPG_TTY
D TERM
D DISPLAY
D XAUTHORITY
D XMODIFIERS
D WAYLAND_DISPLAY
D XDG_SESSION_TYPE
D QT_QPA_PLATFORM
D GTK_IM_MODULE
D DBUS_SESSION_BUS_ADDRESS
D QT_IM_MODULE
D INSIDE_EMACS
D PINENTRY_USER_DATA
D PINENTRY_GEOM_HINT

Salam-Shalom,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Re: [gpg-agent] Empty OPTION xauthority= [ In reply to ]

mcepl at cepl

Mar 4, 2024, 5:19 AM

Post #6 of 7 (108 views)

Permalink

On Mon Mar 4, 2024 at 9:13 AM CET, Werner Koch wrote:
> Because all components of gnupg will start gpg-agent and the other
> daemons oin the fly and make sure that only one is started.

Do I understand it correctly that gnupg contains smaller version
of systemd (dependency activation) inside of itself and that
clashes with systemd? Is there some way how to switch it off and
to make individual parts of gnupg behaving just The Unix Way™, do
one thing (cryptographic operations, gpg-agenting or whatever)
and do it well?

> I have no idea what this is about. In case you need to play interesting
> games with the sockets, the gpgconf.ctl mechanism might be helpful.

MicroOS by openSUSE (and Fedora Atomic and many others,
every Linux distro has its own variant of this, I guess) are
container-oriented systems, where only minimal host system
is used to run multiple isolated containers (Docker/Podman,
distrobox, or Flatpak). SELinux and other methods are used to
keep these containers isolated from the host system and one from
another, sockets are under proper circumstances accessible.

> Using no-autostart in the common.conf might be useful. We use it always
> when running a remote gpg.

That looks interesting, I will look into that.

Best,

Mat?j

--
http://matej.ceplovi.cz/blog/, @mcepl@floss.social
GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8

Ludwig Boltzmann, who spent much of his life studying statistical
mechanics, died in 1906, by his own hand. Paul Ehrenfest,
carrying on the work, died similarly in 1933. Now it is our turn
to study statistical mechanics.
-- David L. Goodstein “States of Matter”

Re: [gpg-agent] Empty OPTION xauthority= [ In reply to ]

gnupg-users at gnupg

Mar 4, 2024, 7:24 AM

Post #7 of 7 (108 views)

Permalink

On Mon, 4 Mar 2024 14:19, Mat?j Cepl said:

> Do I understand it correctly that gnupg contains smaller version
> of systemd (dependency activation) inside of itself and that

No. It is not required. Just don't let systemd start gpg-agent or
dirmngr with option --supervised. If you use ssh just make sure that
gpg-agent has been started - this is the same as with ssh-agent.

> MicroOS by openSUSE (and Fedora Atomic and many others,
> every Linux distro has its own variant of this, I guess) are
> container-oriented systems, where only minimal host system
> is used to run multiple isolated containers (Docker/Podman,
> distrobox, or Flatpak). SELinux and other methods are used to

I see. We once looked into running a gpg-agent under a different
account and with the right glue it should work. Definitely needs some
more work but given that remote use works, it should not be a major
hassle. The gpgconf.ctl hack might come handy to force the use of a
different socket directory - see the latest gpgconf man page. Depends
on how things are actually done. There is even a --chuid option to
gpgconf to handle things for a user during session startup.

Shalom-Salam,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Mailing List Archive

Attached Files:

Attached Files:

Attached Files:

Attached Files:

Attached Files:

Attached Files: