Bug#852697: [pkg-gnupg-maint] Bug#852697: gnupg-agent: automatically starts gpg-agent in root user slice
Control: reassign 852697 daptup Control: retitle 852697 daptup: automatically starts gpg-agent in root user slice Control: affects 852697 + gnupg-agent On Sun 2017-02-05 10:21:58 +0100, Laurent Bonnaud wrote: > On 05/02/2017 10:08, Daniel Kahn Gillmor wrote: > >> Were you able to isolate what's launching the process? > > Yes I finally took the time to test all apt hooks and found the cause: it is > /etc/apt/apt.conf.d/11daptup from package daptup. > > Should I reassign the bug? I'm reassigning it now, sorry for the delay. >> btw, that gpg-agent process is a systemd user service. when root fully >> logs out of the machine, that user service should also terminate. >> perhaps its running might cause you less worry if you know it will get >> cleaned up at logout? > > It is more complicated than that: since I have cron-apt on my system, a new > gpg-agent process is spawned automatically each night and does not go away. so the underlying question is: why does daptup launch gpg-agent? I don't think it should be doing anything with GnuPG secret key material. --dkg signature.asc Description: PGP signature
Bug#852697: [pkg-gnupg-maint] Bug#852697: gnupg-agent: automatically starts gpg-agent in root user slice
On Sun, 5 Feb 2017 11:21:58 +0100 Laurent Bonnaudwrote: > On 05/02/2017 10:08, Daniel Kahn Gillmor wrote: > > > Were you able to isolate what's launching the process? > > Yes I finally took the time to test all apt hooks and found the cause: it is > /etc/apt/apt.conf.d/11daptup from package daptup. > > Should I reassign the bug? > > > btw, that gpg-agent process is a systemd user service. when root fully > > logs out of the machine, that user service should also terminate. > > perhaps its running might cause you less worry if you know it will get > > cleaned up at logout? > > It is more complicated than that: since I have cron-apt on my system, a new > gpg-agent process is spawned automatically each night and does not go away. > > -- > Laurent. > > I also can't ssh, it seems the gpg-agent no longer looks at "/home/mike/.gnupg/gpg-agent.conf", does not find "enable-ssh-support", and starts the gpg agent without ssh support as; mike 1717 1 0 10:09 ?00:00:00 /lib/systemd/systemd --user ... mike 3275 1717 0 10:23 ?00:00:00 \_ /usr/bin/gpg-agent --supervised Kind Regards, Mike
Bug#852697: [pkg-gnupg-maint] Bug#852697: gnupg-agent: automatically starts gpg-agent in root user slice
On 05/02/2017 10:08, Daniel Kahn Gillmor wrote: > Were you able to isolate what's launching the process? Yes I finally took the time to test all apt hooks and found the cause: it is /etc/apt/apt.conf.d/11daptup from package daptup. Should I reassign the bug? > btw, that gpg-agent process is a systemd user service. when root fully > logs out of the machine, that user service should also terminate. > perhaps its running might cause you less worry if you know it will get > cleaned up at logout? It is more complicated than that: since I have cron-apt on my system, a new gpg-agent process is spawned automatically each night and does not go away. -- Laurent.
Bug#852697: [pkg-gnupg-maint] Bug#852697: gnupg-agent: automatically starts gpg-agent in root user slice
On Fri 2017-01-27 05:54:59 -0500, Laurent Bonnaud wrote: > Here is what my system has in its apt config: > > /etc/apt/apt.conf.d: > total 136 > -rw-r--r-- 1 root root 769 Nov 27 2015 01autoremove > -r--r--r-- 1 root root 2677 Jan 24 15:42 01autoremove-kernels > -rw-r--r-- 1 root root 628 May 6 2015 01autoremove-postgresql > -rw-r--r-- 1 root root 369 Aug 1 21:58 05etckeeper > -rw-r--r-- 1 root root 430 Jan 1 2014 10apt-listbugs > -rw-r--r-- 1 root root 196 Jul 25 2015 11daptup > -rw-r--r-- 1 root root 420 Jan 17 2014 20adequate > -rw-r--r-- 1 root root 164 Jan 21 2015 20apt-show-versions > -rw-r--r-- 1 root root 80 Apr 29 2016 20auto-upgrades > -rw-r--r-- 1 root root 202 Dec 22 17:41 20listchanges > -rw-r--r-- 1 root root 1040 Jun 7 2015 20packagekit > -rw-r--r-- 1 root root 258 Jan 22 18:59 20services > -rw-r--r-- 1 root root 131 Jun 26 2015 35dhelp > -rw-r--r-- 1 root root 1488 Jan 26 23:08 50appstream > -rw-r--r-- 1 root root 1953 Nov 6 16:03 50apt-file.conf > -rw-r--r-- 1 root root 297 Nov 22 2014 50spacewalk > -rw-r--r-- 1 root root 4259 May 26 2016 50unattended-upgrades > -rw-r--r-- 1 root root 307 Sep 23 13:18 50whatmaps_apt > -rw-r--r-- 1 root root 354 Jan 19 19:13 60gnome-software > -rw-r--r-- 1 root root 458 Jan 19 18:36 60plasma-discover > -rw-r--r-- 1 root root 182 Mar 19 2015 70debconf > -rw-r--r-- 1 root root 142 Aug 9 13:55 80debtags > -rw-r--r-- 1 root root 266 Mar 7 2016 90junior-config > -rw-r--r-- 1 root root 254 Sep 1 2015 90med-config > -rw-r--r-- 1 root root 286 Jul 4 2016 90rkhunter > -rw-r--r-- 1 root root 270 Mar 29 2015 90science-config > -rw-r--r-- 1 root root 160 Nov 24 2012 90zope-common > -rw-r--r-- 1 root root 129 May 4 2016 99apt-dater-host_periodic > -rw-r--r-- 1 root root 160 May 10 2016 99how-can-i-help > -rw-r--r-- 1 root root 231 Jan 1 2014 99-localepurge > -rw-r--r-- 1 root root 338 Jan 17 16:03 99needrestart > -rw-r--r-- 1 root root 32 Jan 24 17:53 99synaptic > -rw-r--r-- 1 root root 43 Jan 29 2016 overwrite > > I'll try to isolate the responsible package as time permits... hm, i don't see the process get created, and i've got the following in /etc/apt/apt.conf.d/: -rw-r--r-- 1 root root 40 Dec 10 2012 00trustcdrom -rw-r--r-- 1 root root 769 Nov 30 2015 01autoremove -r--r--r-- 1 root root 2053 Jan 24 15:29 01autoremove-kernels -rw-r--r-- 1 root root 628 Sep 9 2013 01autoremove-postgresql -rw-r--r-- 1 root root 164 Oct 26 2012 20apt-show-versions -rw-r--r-- 1 root root 202 Aug 15 15:55 20listchanges -rw-r--r-- 1 root root 182 Aug 13 2012 70debconf -rw-r--r-- 1 root root 142 Oct 5 2014 80debtags Were you able to isolate what's launching the process? btw, that gpg-agent process is a systemd user service. when root fully logs out of the machine, that user service should also terminate. perhaps its running might cause you less worry if you know it will get cleaned up at logout? --dkg signature.asc Description: PGP signature
Bug#852697: [pkg-gnupg-maint] Bug#852697: gnupg-agent: automatically starts gpg-agent in root user slice
On 27/01/2017 01:05, Daniel Kahn Gillmor wrote: > Does the agent process appear as soon as you log in? No, it appears when I run "apt update". I had a similar problem with gvfs (see bug #852696) but in the case of gpg-agent the logs give less information about which apt add-on is responsible: Jan 27 10:53:26 hostname gpg-agent[1816]: gpg-agent (GnuPG) 2.1.18 starting in supervised mode. Jan 27 10:53:26 hostname gpg-agent[1816]: using fd 3 for ssh socket (/run/user/0/gnupg/S.gpg-agent.ssh) Jan 27 10:53:26 hostname gpg-agent[1816]: using fd 4 for browser socket (/run/user/0/gnupg/S.gpg-agent.browser) Jan 27 10:53:26 hostname gpg-agent[1816]: using fd 5 for extra socket (/run/user/0/gnupg/S.gpg-agent.extra) Jan 27 10:53:26 hostname gpg-agent[1816]: using fd 6 for std socket (/run/user/0/gnupg/S.gpg-agent) Jan 27 10:53:26 hostname gpg-agent[1816]: listening on: std=6 extra=5 browser=4 ssh=3 Here is what my system has in its apt config: /etc/apt/apt.conf.d: total 136 -rw-r--r-- 1 root root 769 Nov 27 2015 01autoremove -r--r--r-- 1 root root 2677 Jan 24 15:42 01autoremove-kernels -rw-r--r-- 1 root root 628 May 6 2015 01autoremove-postgresql -rw-r--r-- 1 root root 369 Aug 1 21:58 05etckeeper -rw-r--r-- 1 root root 430 Jan 1 2014 10apt-listbugs -rw-r--r-- 1 root root 196 Jul 25 2015 11daptup -rw-r--r-- 1 root root 420 Jan 17 2014 20adequate -rw-r--r-- 1 root root 164 Jan 21 2015 20apt-show-versions -rw-r--r-- 1 root root 80 Apr 29 2016 20auto-upgrades -rw-r--r-- 1 root root 202 Dec 22 17:41 20listchanges -rw-r--r-- 1 root root 1040 Jun 7 2015 20packagekit -rw-r--r-- 1 root root 258 Jan 22 18:59 20services -rw-r--r-- 1 root root 131 Jun 26 2015 35dhelp -rw-r--r-- 1 root root 1488 Jan 26 23:08 50appstream -rw-r--r-- 1 root root 1953 Nov 6 16:03 50apt-file.conf -rw-r--r-- 1 root root 297 Nov 22 2014 50spacewalk -rw-r--r-- 1 root root 4259 May 26 2016 50unattended-upgrades -rw-r--r-- 1 root root 307 Sep 23 13:18 50whatmaps_apt -rw-r--r-- 1 root root 354 Jan 19 19:13 60gnome-software -rw-r--r-- 1 root root 458 Jan 19 18:36 60plasma-discover -rw-r--r-- 1 root root 182 Mar 19 2015 70debconf -rw-r--r-- 1 root root 142 Aug 9 13:55 80debtags -rw-r--r-- 1 root root 266 Mar 7 2016 90junior-config -rw-r--r-- 1 root root 254 Sep 1 2015 90med-config -rw-r--r-- 1 root root 286 Jul 4 2016 90rkhunter -rw-r--r-- 1 root root 270 Mar 29 2015 90science-config -rw-r--r-- 1 root root 160 Nov 24 2012 90zope-common -rw-r--r-- 1 root root 129 May 4 2016 99apt-dater-host_periodic -rw-r--r-- 1 root root 160 May 10 2016 99how-can-i-help -rw-r--r-- 1 root root 231 Jan 1 2014 99-localepurge -rw-r--r-- 1 root root 338 Jan 17 16:03 99needrestart -rw-r--r-- 1 root root 32 Jan 24 17:53 99synaptic -rw-r--r-- 1 root root 43 Jan 29 2016 overwrite I'll try to isolate the responsible package as time permits... -- Laurent.
Bug#852697: [pkg-gnupg-maint] Bug#852697: gnupg-agent: automatically starts gpg-agent in root user slice
Hi Laurent-- On Thu 2017-01-26 09:06:03 -0500, Laurent Bonnaud wrote: > I usually remotely log in (via ssh) as root on a system where gnupg > packages are installed and I noticed that a gpg-agent process is > created for the root user: > > # systemd-cgls > Control group /: > -.slice > ├─user.slice > │ └─user-0.slice > │ ├─user@0.service > │ │ ├─dbus.service > │ │ │ └─16957 /usr/bin/dbus-daemon --session --address=systemd: --nofork > --nopidfile --systemd-activation --syslo > │ │ ├─gpg-agent.service > │ │ │ └─15353 /usr/bin/gpg-agent --supervised > │ │ ├─init.scope > │ │ │ ├─31495 /lib/systemd/systemd --user > │ │ │ └─31497 (sd-pam) > │ │ └─gvfs-daemon.service > │ │ ├─17040 /usr/lib/gvfs/gvfsd > │ │ └─17045 /usr/lib/gvfs/gvfsd-fuse /run/user/0/gvfs -f -o big_writes > > This process is of no use to the root user and therefore the system > would be better without it. Would it be possible to prevent the > creation of this process? It should only be active because some process queried the gpg-agent. If nothing queries the agent, then it won't get started. Having it in the user@0.service subtree is good because that means it will be terminated when your session ends. You can safely terminate the systemd-supervised agent with the same way that you would terminate any other systemd-supervised user service: systemctl --user stop gpg-agent But note that if some other process wants to talk to the agent, then systemd will start it up again automatically as requested. Does the agent process appear as soon as you log in? Is it possible that something in your login scripts is invoking gpg in a way that wants to talk to the agent? --dkg signature.asc Description: PGP signature