Package: dirmngr Version: 1.1.0-2 Severity: normal In correspondence with upstream about dirmngr [0], Werner Koch raised this concern about its debian packaging:
> Get the permissions for Dirmngr right; last time I checked it was still > run as root. I believe he's referring to the system daemon, which appears to be the case on my debian system: 0 dkg@pip:~/tmp$ COLUMNS=200 ps -F $(pidof dirmngr) UID PID PPID C SZ RSS PSR STIME TTY STAT TIME CMD root 23395 1 0 1175 636 0 Mar13 ? Ss 0:11 /usr/bin/dirmngr --daemon --sh 0 dkg@pip:~/tmp$ Given that the socket it listens on is world-writable, this suggests that any bugs in dirmngr present an opportunity for privilege escalation. Regards, --dkg [0] http://lists.gnupg.org/pipermail/gnupg-devel/2012-March/026620.html -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 3.2.0-1-686-pae (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages dirmngr depends on: ii adduser 3.113+nmu1 ii dpkg 1.16.1.2 ii install-info 4.13a.dfsg.1-8 ii libassuan0 2.0.3-1 ii libc6 2.13-27 ii libgcrypt11 1.5.0-3 ii libgpg-error0 1.10-3 ii libksba8 1.2.0-2 ii libldap-2.4-2 2.4.28-1.1 ii libpth20 2.0.7-16 ii lsb-base 3.2-28.1 dirmngr recommends no packages. dirmngr suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org