[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [pkg-gnupg-maint] Beware of leftover gpg-agent processes

On Fri 2016-08-05 14:17:23 -0400, Stefano Zacchiroli wrote:
> On Fri, Aug 05, 2016 at 12:41:18PM -0400, Daniel Kahn Gillmor wrote:
>> On desktop systems (where i'd expect the majority of secret key access
>> happens), for folks who are running systemd, i recommend enabling the
>> systemd user services, as documented in
>> /usr/share/doc/{gnupg-agent,dirmngr}/README.Debian :
>>   systemctl --user enable gpg-agent
>>   systemctl --user enable dirmngr
> Thanks for the tip. Do you know if this is needed also for GNOME (or
> other FreeDesktop) session users? Within GNOME, on Debian testing, I see
> that my running gpg-agent process is already a directly child of systemd
> (PID 1), but I'm not sure if that's because it has been started by it,
> or rather because the GPG process who originally spawned it is now gone.

gpg-agent and dirmngr "background" themselves, so they'll always have
ppid 1.

that said, under systemd, they'll be grouped into control groups on the
basis of how/where they were launched.

The simplest way to see the control group hierarchy is with "systemctl
status".  When these processes are launched by the user service, they'll
end up in the user@NNNN.service like this:

             │ ├─session-1.scope
             │ │ ├─ 2884 /usr/bin/rxvt
             │ │ ├─32603 less
             │ │ ├─32605 rxvt -geometry 80x26
             │ │ └─32606 bash
             │ └─user@1000.service
             │   ├─gpg-agent.service
             │   │ ├─ 2804 /usr/bin/gpg-agent --daemon --homedir /home/dkg/.gnupg
             │   │ └─23655 scdaemon --multi-server
             │   ├─dirmngr.service
             │   │ └─2805 /usr/bin/dirmngr --daemon --homedir /home/dkg/.gnupg

If they've been autolaunched, they'll end up in the sesion-X.scope

> FWIW gpg-agent/dirmngr are currently _not_ marked as enabled in my user
> session, I've checked with (systemctl --user status).

right, they're not enabled by default yet.  see

> Thanks a lot for your work on GPG dkg, I'm really thrilled to see gpg2
> becoming the default!



Attachment: signature.asc
Description: PGP signature

Reply to: