Bug#852697: [pkg-gnupg-maint] Bug#852697: gnupg-agent: automatically starts gpg-agent in root user slice

2017-04-25 Thread Daniel Kahn Gillmor 
Control: reassign 852697 daptup
Control: retitle 852697 daptup: automatically starts gpg-agent in root user 
slice
Control: affects 852697 + gnupg-agent

On Sun 2017-02-05 10:21:58 +0100, Laurent Bonnaud wrote:
> On 05/02/2017 10:08, Daniel Kahn Gillmor wrote:
>
>> Were you able to isolate what's launching the process?
>
> Yes I finally took the time to test all apt hooks and found the cause: it is 
> /etc/apt/apt.conf.d/11daptup from package daptup.
>
> Should I reassign the bug?

I'm reassigning it now, sorry for the delay.

>> btw, that gpg-agent process is a systemd user service.  when root fully
>> logs out of the machine, that user service should also terminate.
>> perhaps its running might cause you less worry if you know it will get
>> cleaned up at logout?
>
> It is more complicated than that: since I have cron-apt on my system, a new 
> gpg-agent process is spawned automatically each night and does not go away.

so the underlying question is: why does daptup launch gpg-agent?  I
don't think it should be doing anything with GnuPG secret key material.

  --dkg


signature.asc
Description: PGP signature

Bug#852697: [pkg-gnupg-maint] Bug#852697: gnupg-agent: automatically starts gpg-agent in root user slice

2017-02-09 Thread Michael Jones 
On Sun, 5 Feb 2017 11:21:58 +0100 Laurent Bonnaud
 wrote:
> On 05/02/2017 10:08, Daniel Kahn Gillmor wrote:
> 
> > Were you able to isolate what's launching the process?
> 
> Yes I finally took the time to test all apt hooks and found the cause: it is 
> /etc/apt/apt.conf.d/11daptup from package daptup.
> 
> Should I reassign the bug?
> 
> > btw, that gpg-agent process is a systemd user service.  when root fully
> > logs out of the machine, that user service should also terminate.
> > perhaps its running might cause you less worry if you know it will get
> > cleaned up at logout?
> 
> It is more complicated than that: since I have cron-apt on my system, a new 
> gpg-agent process is spawned automatically each night and does not go away.
> 
> -- 
> Laurent.
> 
> 

I also can't ssh, it seems the gpg-agent no longer looks at
"/home/mike/.gnupg/gpg-agent.conf", does not find "enable-ssh-support",
and starts the gpg agent without ssh support as;

mike  1717 1  0 10:09 ?00:00:00 /lib/systemd/systemd --user
...
mike  3275  1717  0 10:23 ?00:00:00  \_ /usr/bin/gpg-agent
--supervised

Kind Regards,
Mike

Bug#852697: [pkg-gnupg-maint] Bug#852697: gnupg-agent: automatically starts gpg-agent in root user slice

2017-02-05 Thread Laurent Bonnaud 
On 05/02/2017 10:08, Daniel Kahn Gillmor wrote:

> Were you able to isolate what's launching the process?

Yes I finally took the time to test all apt hooks and found the cause: it is 
/etc/apt/apt.conf.d/11daptup from package daptup.

Should I reassign the bug?

> btw, that gpg-agent process is a systemd user service.  when root fully
> logs out of the machine, that user service should also terminate.
> perhaps its running might cause you less worry if you know it will get
> cleaned up at logout?

It is more complicated than that: since I have cron-apt on my system, a new 
gpg-agent process is spawned automatically each night and does not go away.

-- 
Laurent.

Bug#852697: [pkg-gnupg-maint] Bug#852697: gnupg-agent: automatically starts gpg-agent in root user slice

2017-02-05 Thread Daniel Kahn Gillmor 
On Fri 2017-01-27 05:54:59 -0500, Laurent Bonnaud wrote:

> Here is what my system has in its apt config:
>
> /etc/apt/apt.conf.d:
> total 136
> -rw-r--r-- 1 root root  769 Nov 27  2015 01autoremove
> -r--r--r-- 1 root root 2677 Jan 24 15:42 01autoremove-kernels
> -rw-r--r-- 1 root root  628 May  6  2015 01autoremove-postgresql
> -rw-r--r-- 1 root root  369 Aug  1 21:58 05etckeeper
> -rw-r--r-- 1 root root  430 Jan  1  2014 10apt-listbugs
> -rw-r--r-- 1 root root  196 Jul 25  2015 11daptup
> -rw-r--r-- 1 root root  420 Jan 17  2014 20adequate
> -rw-r--r-- 1 root root  164 Jan 21  2015 20apt-show-versions
> -rw-r--r-- 1 root root   80 Apr 29  2016 20auto-upgrades
> -rw-r--r-- 1 root root  202 Dec 22 17:41 20listchanges
> -rw-r--r-- 1 root root 1040 Jun  7  2015 20packagekit
> -rw-r--r-- 1 root root  258 Jan 22 18:59 20services
> -rw-r--r-- 1 root root  131 Jun 26  2015 35dhelp
> -rw-r--r-- 1 root root 1488 Jan 26 23:08 50appstream
> -rw-r--r-- 1 root root 1953 Nov  6 16:03 50apt-file.conf
> -rw-r--r-- 1 root root  297 Nov 22  2014 50spacewalk
> -rw-r--r-- 1 root root 4259 May 26  2016 50unattended-upgrades
> -rw-r--r-- 1 root root  307 Sep 23 13:18 50whatmaps_apt
> -rw-r--r-- 1 root root  354 Jan 19 19:13 60gnome-software
> -rw-r--r-- 1 root root  458 Jan 19 18:36 60plasma-discover
> -rw-r--r-- 1 root root  182 Mar 19  2015 70debconf
> -rw-r--r-- 1 root root  142 Aug  9 13:55 80debtags
> -rw-r--r-- 1 root root  266 Mar  7  2016 90junior-config
> -rw-r--r-- 1 root root  254 Sep  1  2015 90med-config
> -rw-r--r-- 1 root root  286 Jul  4  2016 90rkhunter
> -rw-r--r-- 1 root root  270 Mar 29  2015 90science-config
> -rw-r--r-- 1 root root  160 Nov 24  2012 90zope-common
> -rw-r--r-- 1 root root  129 May  4  2016 99apt-dater-host_periodic
> -rw-r--r-- 1 root root  160 May 10  2016 99how-can-i-help
> -rw-r--r-- 1 root root  231 Jan  1  2014 99-localepurge
> -rw-r--r-- 1 root root  338 Jan 17 16:03 99needrestart
> -rw-r--r-- 1 root root   32 Jan 24 17:53 99synaptic
> -rw-r--r-- 1 root root   43 Jan 29  2016 overwrite
>
> I'll try to isolate the responsible package as time permits...

hm, i don't see the process get created, and i've got the following in
/etc/apt/apt.conf.d/:

-rw-r--r-- 1 root root   40 Dec 10  2012 00trustcdrom
-rw-r--r-- 1 root root  769 Nov 30  2015 01autoremove
-r--r--r-- 1 root root 2053 Jan 24 15:29 01autoremove-kernels
-rw-r--r-- 1 root root  628 Sep  9  2013 01autoremove-postgresql
-rw-r--r-- 1 root root  164 Oct 26  2012 20apt-show-versions
-rw-r--r-- 1 root root  202 Aug 15 15:55 20listchanges
-rw-r--r-- 1 root root  182 Aug 13  2012 70debconf
-rw-r--r-- 1 root root  142 Oct  5  2014 80debtags

Were you able to isolate what's launching the process?

btw, that gpg-agent process is a systemd user service.  when root fully
logs out of the machine, that user service should also terminate.
perhaps its running might cause you less worry if you know it will get
cleaned up at logout?

--dkg


signature.asc
Description: PGP signature

Bug#852697: [pkg-gnupg-maint] Bug#852697: gnupg-agent: automatically starts gpg-agent in root user slice

2017-01-27 Thread Laurent Bonnaud 
On 27/01/2017 01:05, Daniel Kahn Gillmor wrote:

> Does the agent process appear as soon as you log in?

No, it appears when I run "apt update".

I had a similar problem with gvfs (see bug #852696) but in the case of 
gpg-agent the logs give less information about which apt add-on is responsible:

Jan 27 10:53:26 hostname gpg-agent[1816]: gpg-agent (GnuPG) 2.1.18 starting in 
supervised mode.
Jan 27 10:53:26 hostname gpg-agent[1816]: using fd 3 for ssh socket 
(/run/user/0/gnupg/S.gpg-agent.ssh)
Jan 27 10:53:26 hostname gpg-agent[1816]: using fd 4 for browser socket 
(/run/user/0/gnupg/S.gpg-agent.browser)
Jan 27 10:53:26 hostname gpg-agent[1816]: using fd 5 for extra socket 
(/run/user/0/gnupg/S.gpg-agent.extra)
Jan 27 10:53:26 hostname gpg-agent[1816]: using fd 6 for std socket 
(/run/user/0/gnupg/S.gpg-agent)
Jan 27 10:53:26 hostname gpg-agent[1816]: listening on: std=6 extra=5 browser=4 
ssh=3

Here is what my system has in its apt config:

/etc/apt/apt.conf.d:
total 136
-rw-r--r-- 1 root root  769 Nov 27  2015 01autoremove
-r--r--r-- 1 root root 2677 Jan 24 15:42 01autoremove-kernels
-rw-r--r-- 1 root root  628 May  6  2015 01autoremove-postgresql
-rw-r--r-- 1 root root  369 Aug  1 21:58 05etckeeper
-rw-r--r-- 1 root root  430 Jan  1  2014 10apt-listbugs
-rw-r--r-- 1 root root  196 Jul 25  2015 11daptup
-rw-r--r-- 1 root root  420 Jan 17  2014 20adequate
-rw-r--r-- 1 root root  164 Jan 21  2015 20apt-show-versions
-rw-r--r-- 1 root root   80 Apr 29  2016 20auto-upgrades
-rw-r--r-- 1 root root  202 Dec 22 17:41 20listchanges
-rw-r--r-- 1 root root 1040 Jun  7  2015 20packagekit
-rw-r--r-- 1 root root  258 Jan 22 18:59 20services
-rw-r--r-- 1 root root  131 Jun 26  2015 35dhelp
-rw-r--r-- 1 root root 1488 Jan 26 23:08 50appstream
-rw-r--r-- 1 root root 1953 Nov  6 16:03 50apt-file.conf
-rw-r--r-- 1 root root  297 Nov 22  2014 50spacewalk
-rw-r--r-- 1 root root 4259 May 26  2016 50unattended-upgrades
-rw-r--r-- 1 root root  307 Sep 23 13:18 50whatmaps_apt
-rw-r--r-- 1 root root  354 Jan 19 19:13 60gnome-software
-rw-r--r-- 1 root root  458 Jan 19 18:36 60plasma-discover
-rw-r--r-- 1 root root  182 Mar 19  2015 70debconf
-rw-r--r-- 1 root root  142 Aug  9 13:55 80debtags
-rw-r--r-- 1 root root  266 Mar  7  2016 90junior-config
-rw-r--r-- 1 root root  254 Sep  1  2015 90med-config
-rw-r--r-- 1 root root  286 Jul  4  2016 90rkhunter
-rw-r--r-- 1 root root  270 Mar 29  2015 90science-config
-rw-r--r-- 1 root root  160 Nov 24  2012 90zope-common
-rw-r--r-- 1 root root  129 May  4  2016 99apt-dater-host_periodic
-rw-r--r-- 1 root root  160 May 10  2016 99how-can-i-help
-rw-r--r-- 1 root root  231 Jan  1  2014 99-localepurge
-rw-r--r-- 1 root root  338 Jan 17 16:03 99needrestart
-rw-r--r-- 1 root root   32 Jan 24 17:53 99synaptic
-rw-r--r-- 1 root root   43 Jan 29  2016 overwrite

I'll try to isolate the responsible package as time permits...

-- 
Laurent.

Bug#852697: [pkg-gnupg-maint] Bug#852697: gnupg-agent: automatically starts gpg-agent in root user slice

2017-01-26 Thread Daniel Kahn Gillmor 
Hi Laurent--

On Thu 2017-01-26 09:06:03 -0500, Laurent Bonnaud wrote:
> I usually remotely log in (via ssh) as root on a system where gnupg
> packages are installed and I noticed that a gpg-agent process is
> created for the root user:
>
> # systemd-cgls
> Control group /:
> -.slice
> ├─user.slice
> │ └─user-0.slice
> │   ├─user@0.service
> │   │ ├─dbus.service
> │   │ │ └─16957 /usr/bin/dbus-daemon --session --address=systemd: --nofork 
> --nopidfile --systemd-activation --syslo
> │   │ ├─gpg-agent.service
> │   │ │ └─15353 /usr/bin/gpg-agent --supervised
> │   │ ├─init.scope
> │   │ │ ├─31495 /lib/systemd/systemd --user
> │   │ │ └─31497 (sd-pam)
> │   │ └─gvfs-daemon.service
> │   │   ├─17040 /usr/lib/gvfs/gvfsd
> │   │   └─17045 /usr/lib/gvfs/gvfsd-fuse /run/user/0/gvfs -f -o big_writes
>
> This process is of no use to the root user and therefore the system
> would be better without it.  Would it be possible to prevent the
> creation of this process?

It should only be active because some process queried the gpg-agent.  If
nothing queries the agent, then it won't get started.

Having it in the user@0.service subtree is good because that means it
will be terminated when your session ends.

You can safely terminate the systemd-supervised agent with the same way
that you would terminate any other systemd-supervised user service:

systemctl --user stop gpg-agent

But note that if some other process wants to talk to the agent, then
systemd will start it up again automatically as requested.

Does the agent process appear as soon as you log in?

Is it possible that something in your login scripts is invoking gpg in a
way that wants to talk to the agent?  

--dkg


signature.asc
Description: PGP signature