From abowhill@blarg.net  Sun Jan  4 22:17:36 2004
Return-Path: <abowhill@blarg.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id F131C16A4CE; Sun,  4 Jan 2004 22:17:35 -0800 (PST)
Received: from mail.blarg.net (floyd.blarg.net [206.124.128.8])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id C489F43D45; Sun,  4 Jan 2004 22:17:32 -0800 (PST)
	(envelope-from abowhill@blarg.net)
Received: from kosmos.my.net (12-230-212-176.client.attbi.com [12.230.212.176])
	by mail.blarg.net (Postfix) with ESMTP
	id 75FD23AA8D; Sun,  4 Jan 2004 22:13:54 -0800 (PST)
Received: from kosmos.my.net (localhost [127.0.0.1])
	by kosmos.my.net (8.12.10/8.12.10) with ESMTP id i056E6LP051172;
	Sun, 4 Jan 2004 22:14:07 -0800 (PST)
	(envelope-from kosmos@kosmos.my.net)
Received: (from kosmos@localhost)
	by kosmos.my.net (8.12.10/8.12.10/Submit) id i056E6i3051171;
	Sun, 4 Jan 2004 22:14:06 -0800 (PST)
	(envelope-from kosmos)
Message-Id: <200401050614.i056E6i3051171@kosmos.my.net>
Date: Sun, 4 Jan 2004 22:14:06 -0800 (PST)
From: kosmos <abowhill@blarg.net>
Reply-To: kosmos <abowhill@blarg.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc: arved@freebsd.org
Subject: BitchX changes ownership of GPG public key file
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         60916
>Category:       ports
>Synopsis:       BitchX changes ownership of GPG public key file
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    arved
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jan 04 22:20:08 PST 2004
>Closed-Date:    Mon Jan 05 00:53:38 PST 2004
>Last-Modified:  Mon Jan 05 00:53:38 PST 2004
>Originator:     abowhill@blarg.net
>Release:        FreeBSD 4.9-STABLE i386
>Organization:
n/a
>Environment:
System: FreeBSD kosmos.my.net 4.9-STABLE FreeBSD 4.9-STABLE #0: Thu Dec 4 19:37:49 PST 2003 root@kosmos.my.net:/usr/obj/usr/src/sys/KOSMOS i386


	
>Description:
        If you use sudo to issue commands as root, and have a GPG (GNU
        PGP installed on the system, installing BitchX from ports will
        change the ownership of your pubring.gpg to root, temporarily
        disabling GPG functionality.

	Also, a public key is added to the keyring without asking.
>How-To-Repeat:
        1.) install sudo
        2.) configure an account "someuser". Add into group wheel.
        3.) as root, install /usr/ports/security/sudo
        4.) as root, add someuser as a sudoer with root access
            Use visudo to add the line:
                someuser        All=(ALL) ALL
            under the "User privilige specification" heading
        4.) as root, install and configure /usr/ports/security/gnupg
        5.) as someuser, generate a gpg keypair, using:
                gpg --gen-key

        %pwd
        /usr/home/someuser
        %ls -alt .gnupg/
        total 20
        drwx------  2 someuser  wheel   512 Jan  4 20:59 .
        -rw-------  1 someuser  wheel  1240 Jan  4 20:59 trustdb.gpg
        -rw-------  1 someuser  wheel   600 Jan  4 20:59 random_seed
        -rw-------  1 someuser  wheel  1062 Jan  4 20:59 secring.gpg
        -rw-------  1 someuser  wheel   924 Jan  4 20:59 pubring.gpg
        drwxr-xr-x  3 someuser  wheel   512 Jan  4 20:57 ..
        -rw-------  1 someuser  wheel     0 Jan  4 20:57 pubring.gpg~
        -rw-------  1 someuser  wheel  8075 Jan  4 20:57 gpg.conf

        
        %gpg --list-keys
        gpg: WARNING: using insecure memory!
        gpg: please see http://www.gnupg.org/faq.html for more information
        /home/someuser/.gnupg/pubring.gpg
        ---------------------------------
        pub  1024D/BD8FF700 2004-01-05 Some User (bloke) <someuser@mynet.net>
        sub  1024g/73C489C3 2004-01-05 [expires: 2004-01-07]

        
        6.) as someuser->sudo->root install /usr/ports/irc/bitchx
        
	> whoami
	someuser 
        > cd /usr/ports/irc/bitchx
        > sudo make install clean

        7. check permissions on files in ~someuser/.gnupg
        > ls -lat ~/.gnupg
        total 24
        drwx------  2 someuser  wheel   512 Jan  4 21:11 .
        -rw-------  1 someuser  wheel  1280 Jan  4 21:11 trustdb.gpg
        -rw-------  1 root      wheel  2276 Jan  4 21:11 pubring.gpg
        -rw-------  1 someuser  wheel   600 Jan  4 20:59 random_seed
        -rw-------  1 someuser  wheel  1062 Jan  4 20:59 secring.gpg
        -rw-------  1 someuser  wheel   924 Jan  4 20:59 pubring.gpg~
        drwxr-xr-x  3 someuser  wheel   512 Jan  4 20:57 ..
        -rw-------  1 someuser  wheel  8075 Jan  4 20:57 gpg.conf

        8.) list keys

        > gpg --list-keys
        gpg: WARNING: using insecure memory!
        gpg: please see http://www.gnupg.org/faq.html for more information
        gpg: can't open `/home/someuser/.gnupg/pubring.gpg'
        gpg: keydb_search_first failed: file open error

>Fix:

        The problem is under the pre-extract section in the Makefile for
        bitchx. The Makefile should probably ask before adding a key,
        but aside from that, the permission change problem might be
        fixed by using su in some creative way like:

        .if defined(SUDO_USER)
                @${ECHO_CMD} "===> Using Sudo to verify GnuPG signatures."
                su $(SUDO_USER) -c 'gpg --keyserver pgp.mit.edu --recv-key 42D1F77C'
        .endif

        Workaround: 
        
        1.) as someuser:
        
        cd ~/.gnupg
        sudo chown someuser pubring.gpg
        gpg --list-keys
        > gpg --list-keys

        gpg: WARNING: using insecure memory!
        gpg: please see http://www.gnupg.org/faq.html for more information
        /home/someuser/.gnupg/pubring.gpg
        ---------------------------------
        pub  1024D/BD8FF700 2004-01-05 Some User (bloke) <someuser@mynet.net>
        sub  1024g/73C489C3 2004-01-05 [expires: 2004-01-07]

        pub  1024D/42D1F77C 2003-04-14 Rob Andrews (BitchX FTP Site Administrator) <sin@bitchx.org>
        sub  2048g/7ADE46D5 2003-04-14 [expires: 2004-04-13]
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->arved 
Responsible-Changed-By: sergei 
Responsible-Changed-When: Sun Jan 4 23:21:12 PST 2004 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=60916 
State-Changed-From-To: open->closed 
State-Changed-By: arved 
State-Changed-When: Mon Jan 5 00:52:56 PST 2004 
State-Changed-Why:  
I have committed a work-around. Thanks for reporting. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=60916 
>Unformatted:
