I was trying to use `gpg -d` as root to decrypt file with backup encrypted with a passphrase on workstation and got "permission denied" error. Previously this works without errors, so I've debugged it a bit and it looks like pinentry does extra checks for file permissions which result in denying access for root user because formally root doesn't have access to required files (but of course root is able to read/write these files anyway, which is ignored by pinentry). # id -u 0 # ls -l $XAUTHORITY $GPG_TTY crw--w---- 1 powerman tty 136, 18 Dec 8 09:20 /dev/pts/18 -rw------- 1 powerman powerman 49 Dec 1 03:37 /home/powerman/.Xauthority # echo GETPIN | pinentry-gtk-2 No protocol specified OK Pleased to meet you S ERROR gtk2.? 83918950 ERR 83918950 Inappropriate ioctl for device <Pinentry> # echo GETPIN | pinentry-gtk-2 -T $GPG_TTY No protocol specified OK Pleased to meet you S ERROR gtk2.? 83918849 ERR 83918849 Permission denied <Pinentry> Now let's change permissions to allow explicit access for root: # chmod 0606 $XAUTHORITY # echo GETPIN | pinentry-gtk-2 OK Pleased to meet you D works in GTK OK # chmod 0600 $XAUTHORITY # chmod 0626 $GPG_TTY # echo GETPIN | pinentry-gtk-2 -T $GPG_TTY No protocol specified OK Pleased to meet you D works in ncurses OK I've just installed app-crypt/pinentry-0.9.7-r1, which works ok before, but it show same errors, so probably something else has changed in my environment.
Here is what happens on syscall level: # echo GETPIN | strace -e access,open pinentry -T $GPG_TTY |& egrep "$XAUTHORITY|$GPG_TTY" access("/home/powerman/.Xauthority", R_OK) = -1 EACCES (Permission denied) open("/dev/pts/2", O_RDONLY) = -1 EACCES (Permission denied) But access to these files isn't actually denied: # wc $XAUTHORITY 0 2 49 /home/powerman/.Xauthority # echo hi > $GPG_TTY hi In first case `wc` just do open() without access(): # strace -e access,open wc $XAUTHORITY |& grep $XAUTHORITY open("/home/powerman/.Xauthority", O_RDONLY) = 3 0 2 49 /home/powerman/.Xauthority In second case open() is called with different flags: # strace -e access,open zsh -c 'echo hi > $GPG_TTY' |& grep $GPG_TTY open("/dev/pts/2", O_RDWR|O_NOCTTY) = 3 open("/dev/pts/2", O_WRONLY|O_CREAT|O_NOCTTY|O_TRUNC, 0666) = 3 hi # strace -e access,open bash -c 'echo hi > $GPG_TTY' |& grep $GPG_TTY open("/dev/pts/2", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3 hi May it have something with hardened/grsec? I'm using latest https://github.com/minipli/linux-unofficial_grsec. Portage 2.3.13 (python 2.7.14-final-0, default/linux/amd64/17.0/hardened, gcc-6.4.0, glibc-2.25-r9, 4.9.65-unofficial+grsec x86_64) ================================================================= System uname: Linux-4.9.65-unofficial+grsec-x86_64-Intel-R-_Core-TM-_i7-2600K_CPU_@_3.40GHz-with-gentoo-2.4.1 KiB Mem: 24643800 total, 2633980 free KiB Swap: 0 total, 0 free Timestamp of repository gentoo: Thu, 07 Dec 2017 06:45:01 +0000 Head commit of repository gentoo: 357253b38a46dce4aa13a6b419eed78b486ea350 sh bash 4.3_p48-r1 ld GNU ld (Gentoo 2.29.1 p3) 2.29.1 app-shells/bash: 4.3_p48-r1::gentoo dev-java/java-config: 2.2.0-r3::gentoo dev-lang/perl: 5.26.1-r1::gentoo dev-lang/python: 2.7.14-r1::gentoo, 3.5.4-r1::gentoo dev-util/cmake: 3.8.2::gentoo dev-util/pkgconfig: 0.29.2::gentoo sys-apps/baselayout: 2.4.1-r2::gentoo sys-apps/openrc: 0.34.11::gentoo sys-apps/sandbox: 2.10-r4::gentoo sys-devel/autoconf: 2.13::gentoo, 2.69::gentoo sys-devel/automake: 1.11.6-r2::gentoo, 1.15.1-r1::gentoo sys-devel/binutils: 2.29.1-r1::gentoo sys-devel/gcc: 6.4.0::gentoo sys-devel/gcc-config: 1.8-r1::gentoo sys-devel/libtool: 2.4.6-r3::gentoo sys-devel/make: 4.2.1::gentoo sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers) sys-libs/glibc: 2.25-r9::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync1.uk.gentoo.org/gentoo-portage priority: -1000 sync-rsync-extra-opts: --exclude ChangeLog --delete-excluded local location: /usr/local/portage masters: gentoo priority: 0 gamerlay location: /var/lib/layman/gamerlay masters: gentoo priority: 50 games-overlay location: /var/lib/layman/games-overlay masters: gentoo priority: 50 powerman location: /home/powerman/proj/gentoo/powerman-overlay masters: gentoo priority: 50 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /service /usr/inferno/keydb /usr/inferno/lib /usr/inferno/services /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/easy-rsa /usr/share/gnupg/qualified.txt /usr/share/i2p/scripts /var/log /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage-distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps=y --autounmask-write --alert=y" FCFLAGS="-march=native -O2 -pipe" FEATURES="assume-digests binpkg-logs clean-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-march=native -O2 -pipe" GENTOO_MIRRORS="http://tux.rainside.sk/gentoo/ http://trumpetti.atm.tut.fi/gentoo/ http://gentoo.inode.at/" LANG="ru_RU.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j8" PKGDIR="/usr/portage-packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS="--exclude ChangeLog --delete-excluded" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="X a52 aac acl acpi adns aes alac alsa amd64 avx bash-completion berkdb bluetooth branding bzip2 cairo caps cdda cddb cdr chm cli consolekit cracklib crypt cups cxx dbus djvu dri dts dvb dvd dvdr emboss encode exif fam ffmpeg firefox flac fontconfig gallium gdbm gif glamor gpg gtk gtkstyle hardened iconv icu id3tag idn ipv6 jpeg jpeg2k justify lcms libnotify mac mad matroska mmx mmxext mng modules mp3 mp4 mpeg multilib musepack ncurses network-cron nls nptl nsplugin ogg opengl openmp pam pango pax_kernel pcre pdf perl pie png policykit popcnt ppds qt5 readline sdl seccomp session spell sse sse2 sse3 sse4_1 sse4_2 ssl ssp ssse3 startup-notification svg tcpd theora tiff truetype udev udisks unicode upower usb vdpau vim-syntax vorbis wavpack wxwidgets x264 xattr xcb xml xscreensaver xtpax xv xvid xvmc zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="log_config vhost_alias autoindex alias rewrite dir deflate filter mime negotiation auth_basic authn_file authz_host authz_user authz_groupfile cgi actions headers env setenvif authn_core authz_core unixd socache_shmcb access_compat" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64 pc" INPUT_DEVICES="evdev" KERNEL="linux" L10N="en ru" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en ru ru_RU" NGINX_MODULES_HTTP="access auth_basic autoindex browser charset empty_gif fastcgi geo gzip limit_conn limit_req map memcached proxy referer rewrite scgi split_clients ssi upstream_ip_hash userid uwsgi fancyindex" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-0" POSTGRES_TARGETS="postgres9_5" PYTHON_SINGLE_TARGET="python3_5" PYTHON_TARGETS="python2_7 python3_5" QEMU_SOFTMMU_TARGETS="x86_64 i386" QEMU_USER_TARGETS="x86_64 i386" RUBY_TARGETS="ruby22" USERLAND="GNU" VIDEO_CARDS="nvidia nouveau" XFCE_PLUGINS="clock trash" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS
This seems related to https://dev.gnupg.org/T1391 and https://dev.gnupg.org/T2739 . There is also a discussion containing workarounds in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836772 . Please work with upstream if you have issues with this, it isn't really a downstream issue.