Bug#993441: kleopatra: Creates unsafe ~/.gnupg when not already present
Package: kleopatra
Version: 4:21.08.0-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
I had previously 'improved' my gnupg configuration, but that is (now)
deprecated.
So I moved my ~/.gnupg directory to a backup location to start anew.
If I then start Kleopatra, but don't do anything with it, that directory
gets created, but with the wrong permissions:
diederik@bagend:~$ stat .gnupg/
File: .gnupg/
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 10304h/66308d Inode: 12845182 Links: 3
Access: (0755/drwxr-xr-x) Uid: ( 1000/diederik) Gid: ( 1000/diederik)
Running a gpg command from a Konsole window reports the issue:
diederik@bagend:~$ gpg --list-keys
gpg: WARNING: unsafe permissions on homedir '/home/diederik/.gnupg'
If I uninstall Kleopatra and remove the ~/.gnupg directory (again) and
then do 'gpg --list-keys', I get:
diederik@bagend:~$ gpg --list-keys
gpg: directory '/home/diederik/.gnupg' created
gpg: keybox '/home/diederik/.gnupg/pubring.kbx' created
gpg: /home/diederik/.gnupg/trustdb.gpg: trustdb created
diederik@bagend:~$ stat .gnupg/
File: .gnupg/
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 10304h/66308d Inode: 12845180 Links: 2
Access: (0700/drwx------) Uid: ( 1000/diederik) Gid: ( 1000/diederik)
So Kleopatra creates ~/.gnupg with incorrect permissions when the
directory doesn't exist.
Cheers,
Diederik
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable'), (500, 'testing'), (101, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64
Kernel: Linux 5.10.0-8-amd64 (SMP w/16 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages kleopatra depends on:
ii dirmngr 2.2.27-2
ii gnupg 2.2.27-2
ii gpgsm 2.2.27-2
ii libassuan0 2.5.5-1
ii libc6 2.31-17
ii libgcc-s1 11.2.0-3
ii libgpg-error0 1.42-3
ii libgpgme11 1.16.0-1
ii libgpgmepp6 1.16.0-1
ii libkf5codecs5 5.85.0-2
ii libkf5configcore5 5.85.0-2
ii libkf5configgui5 5.85.0-2
ii libkf5configwidgets5 5.85.0-2
ii libkf5coreaddons5 5.85.0-2
ii libkf5crash5 5.85.0-2
ii libkf5dbusaddons5 5.85.0-2
ii libkf5i18n5 5.85.0-2
ii libkf5iconthemes5 5.85.0-2
ii libkf5itemmodels5 5.85.0-2
ii libkf5libkleo5 [libkf5libkleo5-21.08] 4:21.08.0-1
ii libkf5mime5abi1 [libkf5mime5-21.08] 21.08.0-1
ii libkf5notifications5 5.85.0-3
ii libkf5textwidgets5 5.85.0-2
ii libkf5widgetsaddons5 5.85.0-2
ii libkf5windowsystem5 5.85.0-2
ii libkf5xmlgui5 5.85.0-3
ii libqgpgme7 1.16.0-1
ii libqt5core5a 5.15.2+dfsg-10
ii libqt5dbus5 5.15.2+dfsg-10
ii libqt5gui5 5.15.2+dfsg-10
ii libqt5network5 5.15.2+dfsg-10
ii libqt5printsupport5 5.15.2+dfsg-10
ii libqt5widgets5 5.15.2+dfsg-10
ii libstdc++6 11.2.0-3
ii paperkey 1.6-1
ii pinentry-qt 1.1.1-1
kleopatra recommends no packages.
kleopatra suggests no packages.
-- no debconf information
Reply to: