Debian Bug report logs - #146345
[DEBIAN/BLOCKED][gnupg/928] gnupg: build with --enable-selinux-support

version graph

Package: gnupg; Maintainer for gnupg is Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>; Source for gnupg is src:gnupg.

Reported by: russell@coker.com.au

Date: Thu, 9 May 2002 06:03:01 UTC

Severity: wishlist

Tags: upstream

Found in version 1.0.6-3

Forwarded to upstream

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>, gnupg@packages.qa.debian.org:
Bug#146345; Package gnupg. Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
New Bug report received and forwarded. Copy sent to James Troup <james@nocrew.org>, gnupg@packages.qa.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: russell@coker.com.au
To: submit@bugs.debian.org
Subject: gnupg: Can't restrict access to secring.gpg
Date: Thu, 9 May 2002 11:56:32 +1000 (EST)
Package: gnupg
Version: 1.0.6-3
Severity: wishlist

In my SE Linux configuration I have set it up such that only the gpg process
may access the files under ~/.gnupg to reduce the risk of a secret key being
stolen if a hostile script is accidentally run.

However a hostile script could encrypt the secring.gpg file to an output file
under /tmp and thus avoid this!

I would like to have gpg either check sym-links etc and refuse to open a file
under ~/.gnupg as a source for encryption, or have it call a separate process
who's sole purpose is to manipulate the secret key file (in which case I can
deny the main gpg program direct read access to that file).

-- System Information
Debian Release: 3.0
Kernel Version: Linux lyta 2.4.18lsm #1 Mon Apr 22 16:08:25 CEST 2002 i686 unknown

Versions of the packages gnupg depends on:
ii  devfsd         1.3.25-6       Daemon for the device filesystem
ii  libc6          2.2.5-6        GNU C Library: Shared libraries and Timezone
ii  libgdbmg1      1.7.3-27       GNU dbm database routines (runtime version).
ii  makedev        2.3.1-58       Creates device files in /dev.
ii  zlib1g         1.1.4-1        compression library - runtime



Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>, gnupg@packages.qa.debian.org:
Bug#146345; Package gnupg. Full text and rfc822 format available.

Acknowledgement sent to Werner Koch <wk@gnupg.org>:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>, gnupg@packages.qa.debian.org. Full text and rfc822 format available.

Message #10 received at 146345@bugs.debian.org (full text, mbox):

From: Werner Koch <wk@gnupg.org>
To: russell@coker.com.au
Cc: 146345@bugs.debian.org
Subject: Re: Bug#146345: gnupg: Can't restrict access to secring.gpg
Date: Thu, 09 May 2002 11:25:06 +0200
On Thu,  9 May 2002 11:56:32 +1000 (EST), russell  said:

> However a hostile script could encrypt the secring.gpg file to an output file
> under /tmp and thus avoid this!

I have not yet looked closely at SE-GNU/Linux so I don't know any
details regarding ACL etc.

> I would like to have gpg either check sym-links etc and refuse to open a file
> under ~/.gnupg as a source for encryption, or have it call a separate process

1.0.7 checks that permissions are sane but this won't help here.  Well
we could refuse to open a file in ~/.gnupg but is not easy might break
existing applications.  I wonder whether there is an syscall to help
with this.

> who's sole purpose is to manipulate the secret key file (in which case I can
> deny the main gpg program direct read access to that file).

Future version will separate secret key access into a separate process
(gpg-agent). Have a look at http:/www.gnupg.org/aegypten/ for some
architectural notes.

  Werner




Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>, gnupg@packages.qa.debian.org:
Bug#146345; Package gnupg. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>, gnupg@packages.qa.debian.org. Full text and rfc822 format available.

Message #15 received at 146345@bugs.debian.org (full text, mbox):

From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
To: Werner Koch <wk@gnupg.org>
Cc: 146345@bugs.debian.org, russell@coker.com.au
Subject: Re: Bug#146345: gnupg: Can't restrict access to secring.gpg
Date: Thu, 09 May 2002 20:20:25 +0200
Werner Koch <wk@gnupg.org> writes:

>> I would like to have gpg either check sym-links etc and refuse to open a file
>> under ~/.gnupg as a source for encryption, or have it call a separate process
>
> 1.0.7 checks that permissions are sane but this won't help here.  Well
> we could refuse to open a file in ~/.gnupg but is not easy might break
> existing applications.  I wonder whether there is an syscall to help
> with this.

fstat() and compare ft_dev/ft_ino fields with the values for
~/.gnupg/secring.gpg?

-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898



Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>, gnupg@packages.qa.debian.org:
Bug#146345; Package gnupg. Full text and rfc822 format available.

Acknowledgement sent to Russell Coker <russell@coker.com.au>:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>, gnupg@packages.qa.debian.org. Full text and rfc822 format available.

Message #20 received at 146345@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>, Werner Koch <wk@gnupg.org>
Cc: 146345@bugs.debian.org
Subject: Re: Bug#146345: gnupg: Can't restrict access to secring.gpg
Date: Fri, 10 May 2002 14:55:26 +1000
On Fri, 10 May 2002 04:20, Florian Weimer wrote:
> Werner Koch <wk@gnupg.org> writes:
> >> I would like to have gpg either check sym-links etc and refuse to open a
> >> file under ~/.gnupg as a source for encryption, or have it call a
> >> separate process
> >
> > 1.0.7 checks that permissions are sane but this won't help here.  Well
> > we could refuse to open a file in ~/.gnupg but is not easy might break
> > existing applications.  I wonder whether there is an syscall to help
> > with this.
>
> fstat() and compare ft_dev/ft_ino fields with the values for
> ~/.gnupg/secring.gpg?

Sounds good to me!

The way SE Linux works is that there is a security policy determining what 
access to various objects (files, network connections, etc) each "domain" is 
given.  Each process will be in one of the domains, and the domain can change 
at exec() time.  So if the main gpg process read the secret file by 
fork()/exec() on a separate program, we could then have a security policy 
rule stating that the separate program runs in a different domain which has 
read access to the secret key.


Russell Coker



Noted your statement that Bug has been forwarded to upstream. Request was from James Troup <james@nocrew.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: upstream Request was from James Troup <james@nocrew.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, James Troup <james@nocrew.org>:
Bug#146345; Package gnupg. Full text and rfc822 format available.

Acknowledgement sent to Daniel Leidert (dale) <daniel.leidert@wgdd.de>:
Extra info received and forwarded to list. Copy sent to James Troup <james@nocrew.org>. Full text and rfc822 format available.

Message #29 received at 146345@bugs.debian.org (full text, mbox):

From: Daniel Leidert (dale) <daniel.leidert@wgdd.de>
To: control@bugs.debian.org
Cc: 146345@bugs.debian.org
Subject: tagging 146345
Date: Wed, 02 Apr 2008 01:43:22 +0200
# Automatically generated email from bts, devscripts version 2.10.20
# looks fixed since a 1.3 release, see the --enable-selinux-support configure option
tags 146345 + fixed-upstream





Tags added: fixed-upstream Request was from Daniel Leidert (dale) <daniel.leidert@wgdd.de> to control@bugs.debian.org. (Tue, 01 Apr 2008 23:48:06 GMT) Full text and rfc822 format available.

Reply sent to Daniel Leidert <daniel.leidert@wgdd.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to russell@coker.com.au:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #36 received at 146345-done@bugs.debian.org (full text, mbox):

From: Daniel Leidert <daniel.leidert@wgdd.de>
To: 146345-done@bugs.debian.org
Subject: gnupg: Can't restrict access to secring.gpg
Date: Fri, 06 Jun 2008 02:15:29 +0200
It is my believe, that this particular issue has already been fixed
upstream some time ago.

I'm therefor closing this report now. Please feel free to comment on
this decision or reopen the report if necessary.

Regards, Daniel





Information forwarded to debian-bugs-dist@lists.debian.org, Sune Vuorela <debian@pusling.com>:
Bug#146345; Package gnupg. Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Sune Vuorela <debian@pusling.com>. Full text and rfc822 format available.

Message #41 received at 146345@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: 146345@bugs.debian.org
Subject: not fixed in Debian
Date: Fri, 6 Jun 2008 11:27:27 +1000
reopen 146345
thanks

gpg -c < .gnupg/secring.gpg > out
gpg: can't open `[stdin]': Operation not permitted
gpg: symmetric encryption of `[stdin]' failed: file open error

If built with --enable-selinux-support the above is the expected output.  
Currently it will just encrypt the secret key.

The following patch needs to be applied:

diff -ru gnupg-1.4.9.bak/debian/rules gnupg-1.4.9/debian/rules
--- gnupg-1.4.9.bak/debian/rules        2008-06-06 11:05:02.000000000 +1000
+++ gnupg-1.4.9/debian/rules    2008-06-06 11:09:45.000000000 +1000
@@ -18,7 +18,7 @@
 endif


-CONFARGS 
= --prefix=/usr --libexecdir=/usr/lib/ --enable-mailto --with-mailprog=/usr/sbin/sendmail
+CONFARGS 
= --prefix=/usr --libexecdir=/usr/lib/ --enable-mailto --with-mailprog=/usr/sbin/sendmail --enable-selinux-support

 install_dir=install -d -m 755
 install_file=install -m 644




Information forwarded to debian-bugs-dist@lists.debian.org, Sune Vuorela <debian@pusling.com>:
Bug#146345; Package gnupg. Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Sune Vuorela <debian@pusling.com>. Full text and rfc822 format available.

Message #46 received at 146345@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: 146345@bugs.debian.org
Subject: restricting --export-secret-keys
Date: Fri, 6 Jun 2008 12:58:33 +1000
http://etbe.coker.com.au/2008/06/06/se-linux-support-gpg/

One issue of this feature is that it prevents --export-secret-keys.  
Determining the correct way of dealing with this will take some time.  It 
might be appropriate to not have this new GPG feature enabled in the case 
of --export-secret-keys but only apply to operations 
like "gpg -c --output /tmp/foo.gpg ~/.gnupg/secring.gpg".

See my above blog post for some more background data (and probably some 
comments soon).




Information forwarded to debian-bugs-dist@lists.debian.org, Sune Vuorela <debian@pusling.com>:
Bug#146345; Package gnupg. Full text and rfc822 format available.

Acknowledgement sent to Daniel Leidert <daniel.leidert@wgdd.de>:
Extra info received and forwarded to list. Copy sent to Sune Vuorela <debian@pusling.com>. Full text and rfc822 format available.

Message #51 received at 146345@bugs.debian.org (full text, mbox):

From: Daniel Leidert <daniel.leidert@wgdd.de>
To: 146345@bugs.debian.org, control@bugs.debian.org
Cc: pkg-gnupg-maint@lists.alioth.debian.org, 146345-submitter@bugs.debian.org
Subject: gnupg: Can't restrict access to secring.gpg
Date: Sat, 07 Jun 2008 12:34:38 +0200
retitle 146345 Please build with --enable-selinux-support (restrict access to secring.gpg)
thanks

Hi,

Building gnupg with --enable-selinux-support is probably impossible for
Lenny. But we will examine it for Lenny+1.

Regards, Daniel





Changed Bug title to `Please build with --enable-selinux-support (restrict access to secring.gpg)' from `gnupg: Can't restrict access to secring.gpg'. Request was from Daniel Leidert <daniel.leidert@wgdd.de> to control@bugs.debian.org. (Sat, 07 Jun 2008 10:39:03 GMT) Full text and rfc822 format available.

Message sent on to russell@coker.com.au:
Bug#146345. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>:
Bug#146345; Package gnupg. Full text and rfc822 format available.

Acknowledgement sent to Daniel Leidert <daniel.leidert@wgdd.de>:
Extra info received and forwarded to list. Copy sent to Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #61 received at 146345@bugs.debian.org (full text, mbox):

From: Daniel Leidert <daniel.leidert@wgdd.de>
To: 146345@bugs.debian.org
Subject: Please build with --enable-selinux-support (restrict access to secring.gpg)
Date: Tue, 10 Jun 2008 04:31:58 +0200
Just as information: We should probably not add this configure option,
as long as https://bugs.g10code.com/gnupg/issue928 is not implemented.





Bug reopened, originator not changed. Request was from Daniel Leidert (dale) <daniel.leidert@wgdd.de> to control@bugs.debian.org. (Tue, 10 Jun 2008 02:33:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>:
Bug#146345; Package gnupg. (Thu, 07 May 2009 10:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Daniel Leidert" <daniel.leidert@wgdd.de>:
Extra info received and forwarded to list. Copy sent to Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>. (Thu, 07 May 2009 10:18:03 GMT) Full text and rfc822 format available.

Message #68 received at 146345@bugs.debian.org (full text, mbox):

From: "Daniel Leidert" <daniel.leidert@wgdd.de>
To: 146345@bugs.debian.org
Subject: Please build with &#65279; --enable-selinux-support (restrict access to secring.gpg)
Date: Thu, 7 May 2009 11:57:45 +0200 (CEST)
I'm currently in favor of building separate gnupg packages with SELinux
support. This will give us the possibility to test things and help upstream
to come to a version, which can enable/disable SELinux support during
runtime. See https://bugs.g10code.com/gnupg/msg2499.

Regards, Daniel





Changed Bug title to `DEB: gnupg: build with --enable-selinux-support' from `Please build with --enable-selinux-support (restrict access to secring.gpg)'. Request was from Daniel Leidert <daniel.leidert@wgdd.de> (dale) to control@bugs.debian.org. (Fri, 08 May 2009 10:51:02 GMT) Full text and rfc822 format available.

Changed Bug title to `DEBIAN: gnupg: build with --enable-selinux-support' from `DEB: gnupg: build with --enable-selinux-support'. Request was from Daniel Leidert (dale) <daniel.leidert@wgdd.de> to control@bugs.debian.org. (Mon, 11 May 2009 10:09:09 GMT) Full text and rfc822 format available.

Changed Bug title to '[GnuPG/928] DEBIAN/BLOCKED: gnupg: build with --enable-selinux-support' from 'DEBIAN: gnupg: build with --enable-selinux-support' Request was from Daniel Leidert (dale) <daniel.leidert@wgdd.de> to control@bugs.debian.org. (Tue, 15 Sep 2009 15:24:19 GMT) Full text and rfc822 format available.

Changed Bug title to '[gnupg/928] DEBIAN/BLOCKED: gnupg: build with --enable-selinux-support' from '[GnuPG/928] DEBIAN/BLOCKED: gnupg: build with --enable-selinux-support' Request was from Daniel Leidert (dale) <daniel.leidert@wgdd.de> to control@bugs.debian.org. (Tue, 15 Sep 2009 15:30:09 GMT) Full text and rfc822 format available.

Changed Bug title to '[DEBIAN/BLOCKED][gnupg/928] gnupg: build with --enable-selinux-support' from '[gnupg/928] DEBIAN/BLOCKED: gnupg: build with --enable-selinux-support' Request was from Daniel Leidert (dale) <daniel.leidert@wgdd.de> to control@bugs.debian.org. (Fri, 29 Jan 2010 10:45:03 GMT) Full text and rfc822 format available.

Removed tag(s) fixed-upstream. Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Wed, 27 Oct 2010 10:24:06 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 19:23:41 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.