Bug#993441: kleopatra: Creates unsafe ~/.gnupg when not already present

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#993441: kleopatra: Creates unsafe ~/.gnupg when not already present
From: Diederik de Haas <didi.debian@cknow.org>
Date: Wed, 01 Sep 2021 14:46:02 +0200
Message-id: <[🔎] 163050036213.12099.3024345587637453600.reportbug@bagend.home.cknow.org>
Reply-to: Diederik de Haas <didi.debian@cknow.org>, 993441@bugs.debian.org

Package: kleopatra
Version: 4:21.08.0-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

I had previously 'improved' my gnupg configuration, but that is (now)
deprecated.
So I moved my ~/.gnupg directory to a backup location to start anew.

If I then start Kleopatra, but don't do anything with it, that directory
gets created, but with the wrong permissions:
diederik@bagend:~$ stat .gnupg/
  File: .gnupg/
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 10304h/66308d   Inode: 12845182    Links: 3
Access: (0755/drwxr-xr-x)  Uid: ( 1000/diederik)   Gid: ( 1000/diederik)

Running a gpg command from a Konsole window reports the issue:
diederik@bagend:~$ gpg --list-keys
gpg: WARNING: unsafe permissions on homedir '/home/diederik/.gnupg'


If I uninstall Kleopatra and remove the ~/.gnupg directory (again) and
then do 'gpg --list-keys', I get:
diederik@bagend:~$ gpg --list-keys
gpg: directory '/home/diederik/.gnupg' created
gpg: keybox '/home/diederik/.gnupg/pubring.kbx' created
gpg: /home/diederik/.gnupg/trustdb.gpg: trustdb created
diederik@bagend:~$ stat .gnupg/
  File: .gnupg/
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 10304h/66308d   Inode: 12845180    Links: 2
Access: (0700/drwx------)  Uid: ( 1000/diederik)   Gid: ( 1000/diederik)

So Kleopatra creates ~/.gnupg with incorrect permissions when the
directory doesn't exist.

Cheers,
  Diederik

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable'), (500, 'testing'), (101, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64

Kernel: Linux 5.10.0-8-amd64 (SMP w/16 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages kleopatra depends on:
ii  dirmngr                                2.2.27-2
ii  gnupg                                  2.2.27-2
ii  gpgsm                                  2.2.27-2
ii  libassuan0                             2.5.5-1
ii  libc6                                  2.31-17
ii  libgcc-s1                              11.2.0-3
ii  libgpg-error0                          1.42-3
ii  libgpgme11                             1.16.0-1
ii  libgpgmepp6                            1.16.0-1
ii  libkf5codecs5                          5.85.0-2
ii  libkf5configcore5                      5.85.0-2
ii  libkf5configgui5                       5.85.0-2
ii  libkf5configwidgets5                   5.85.0-2
ii  libkf5coreaddons5                      5.85.0-2
ii  libkf5crash5                           5.85.0-2
ii  libkf5dbusaddons5                      5.85.0-2
ii  libkf5i18n5                            5.85.0-2
ii  libkf5iconthemes5                      5.85.0-2
ii  libkf5itemmodels5                      5.85.0-2
ii  libkf5libkleo5 [libkf5libkleo5-21.08]  4:21.08.0-1
ii  libkf5mime5abi1 [libkf5mime5-21.08]    21.08.0-1
ii  libkf5notifications5                   5.85.0-3
ii  libkf5textwidgets5                     5.85.0-2
ii  libkf5widgetsaddons5                   5.85.0-2
ii  libkf5windowsystem5                    5.85.0-2
ii  libkf5xmlgui5                          5.85.0-3
ii  libqgpgme7                             1.16.0-1
ii  libqt5core5a                           5.15.2+dfsg-10
ii  libqt5dbus5                            5.15.2+dfsg-10
ii  libqt5gui5                             5.15.2+dfsg-10
ii  libqt5network5                         5.15.2+dfsg-10
ii  libqt5printsupport5                    5.15.2+dfsg-10
ii  libqt5widgets5                         5.15.2+dfsg-10
ii  libstdc++6                             11.2.0-3
ii  paperkey                               1.6-1
ii  pinentry-qt                            1.1.1-1

kleopatra recommends no packages.

kleopatra suggests no packages.

-- no debconf information

Reply to:

Follow-Ups:
- Bug#993441: kleopatra: Creates unsafe ~/.gnupg when not already present
  - From: Diederik de Haas <didi.debian@cknow.org>
- Processed: Re: Bug#993441: kleopatra: Creates unsafe ~/.gnupg when not already present
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#993441: kleopatra: Creates unsafe ~/.gnupg when not already present
  - From: Norbert Preining <norbert@preining.info>
- Bug#993441: marked as done (kleopatra: Creates unsafe ~/.gnupg when not already present)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Next by Date: Processing of dolphin_21.08.0-2_source.changes
Next by thread: Bug#993441: kleopatra: Creates unsafe ~/.gnupg when not already present
Index(es):
- Date
- Thread