Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 640230 - app-crypt/pinentry-1.0.0-r2: permission denied for root
Summary: app-crypt/pinentry-1.0.0-r2: permission denied for root
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo's Team for Core System packages
Keywords: UPSTREAM
Depends on:
Reported: 2017-12-08 07:40 UTC by Alex Efros
Modified: 2023-01-13 13:45 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alex Efros 2017-12-08 07:40:29 UTC
I was trying to use `gpg -d` as root to decrypt file with backup encrypted with a passphrase on workstation and got "permission denied" error. Previously this works without errors, so I've debugged it a bit and it looks like pinentry does extra checks for file permissions which result in denying access for root user because formally root doesn't have access to required files (but of course root is able to read/write these files anyway, which is ignored by pinentry).

# id -u
crw--w---- 1 powerman tty      136, 18 Dec  8 09:20 /dev/pts/18
-rw------- 1 powerman powerman      49 Dec  1 03:37 /home/powerman/.Xauthority

# echo GETPIN | pinentry-gtk-2
No protocol specified
OK Pleased to meet you
S ERROR gtk2.? 83918950 
ERR 83918950 Inappropriate ioctl for device <Pinentry>
# echo GETPIN | pinentry-gtk-2 -T $GPG_TTY
No protocol specified
OK Pleased to meet you
S ERROR gtk2.? 83918849 
ERR 83918849 Permission denied <Pinentry>

Now let's change permissions to allow explicit access for root:

# chmod 0606 $XAUTHORITY
# echo GETPIN | pinentry-gtk-2
OK Pleased to meet you
D works in GTK
# chmod 0600 $XAUTHORITY
# chmod 0626 $GPG_TTY
# echo GETPIN | pinentry-gtk-2 -T $GPG_TTY
No protocol specified
OK Pleased to meet you
D works in ncurses

I've just installed app-crypt/pinentry-0.9.7-r1, which works ok before, but it show same errors, so probably something else has changed in my environment.
Comment 1 Alex Efros 2017-12-08 08:02:42 UTC
Here is what happens on syscall level:

# echo GETPIN | strace -e access,open pinentry -T $GPG_TTY |& egrep "$XAUTHORITY|$GPG_TTY"
access("/home/powerman/.Xauthority", R_OK) = -1 EACCES (Permission denied)
open("/dev/pts/2", O_RDONLY)            = -1 EACCES (Permission denied)

But access to these files isn't actually denied:

 0  2 49 /home/powerman/.Xauthority
# echo hi > $GPG_TTY

In first case `wc` just do open() without access():

# strace -e access,open wc $XAUTHORITY |& grep $XAUTHORITY
open("/home/powerman/.Xauthority", O_RDONLY) = 3
 0  2 49 /home/powerman/.Xauthority

In second case open() is called with different flags:

# strace -e access,open zsh -c 'echo hi > $GPG_TTY' |& grep $GPG_TTY
open("/dev/pts/2", O_RDWR|O_NOCTTY)     = 3
open("/dev/pts/2", O_WRONLY|O_CREAT|O_NOCTTY|O_TRUNC, 0666) = 3
# strace -e access,open bash -c 'echo hi > $GPG_TTY' |& grep $GPG_TTY
open("/dev/pts/2", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3

May it have something with hardened/grsec? I'm using latest

Portage 2.3.13 (python 2.7.14-final-0, default/linux/amd64/17.0/hardened, gcc-6.4.0, glibc-2.25-r9, 4.9.65-unofficial+grsec x86_64)
System uname: Linux-4.9.65-unofficial+grsec-x86_64-Intel-R-_Core-TM-_i7-2600K_CPU_@_3.40GHz-with-gentoo-2.4.1
KiB Mem:    24643800 total,   2633980 free
KiB Swap:          0 total,         0 free
Timestamp of repository gentoo: Thu, 07 Dec 2017 06:45:01 +0000
Head commit of repository gentoo: 357253b38a46dce4aa13a6b419eed78b486ea350
sh bash 4.3_p48-r1
ld GNU ld (Gentoo 2.29.1 p3) 2.29.1
app-shells/bash:          4.3_p48-r1::gentoo
dev-java/java-config:     2.2.0-r3::gentoo
dev-lang/perl:            5.26.1-r1::gentoo
dev-lang/python:          2.7.14-r1::gentoo, 3.5.4-r1::gentoo
dev-util/cmake:           3.8.2::gentoo
dev-util/pkgconfig:       0.29.2::gentoo
sys-apps/baselayout:      2.4.1-r2::gentoo
sys-apps/openrc:          0.34.11::gentoo
sys-apps/sandbox:         2.10-r4::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69::gentoo
sys-devel/automake:       1.11.6-r2::gentoo, 1.15.1-r1::gentoo
sys-devel/binutils:       2.29.1-r1::gentoo
sys-devel/gcc:            6.4.0::gentoo
sys-devel/gcc-config:     1.8-r1::gentoo
sys-devel/libtool:        2.4.6-r3::gentoo
sys-devel/make:           4.2.1::gentoo
sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers)
sys-libs/glibc:           2.25-r9::gentoo

    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://
    priority: -1000
    sync-rsync-extra-opts: --exclude ChangeLog --delete-excluded

    location: /usr/local/portage
    masters: gentoo
    priority: 0

    location: /var/lib/layman/gamerlay
    masters: gentoo
    priority: 50

    location: /var/lib/layman/games-overlay
    masters: gentoo
    priority: 50

    location: /home/powerman/proj/gentoo/powerman-overlay
    masters: gentoo
    priority: 50

CFLAGS="-march=native -O2 -pipe"
CONFIG_PROTECT="/etc /service /usr/inferno/keydb /usr/inferno/lib /usr/inferno/services /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/easy-rsa /usr/share/gnupg/qualified.txt /usr/share/i2p/scripts /var/log /var/qmail/alias /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
EMERGE_DEFAULT_OPTS="--with-bdeps=y --autounmask-write --alert=y"
FCFLAGS="-march=native -O2 -pipe"
FEATURES="assume-digests binpkg-logs clean-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-march=native -O2 -pipe"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude ChangeLog --delete-excluded"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
USE="X a52 aac acl acpi adns aes alac alsa amd64 avx bash-completion berkdb bluetooth branding bzip2 cairo caps cdda cddb cdr chm cli consolekit cracklib crypt cups cxx dbus djvu dri dts dvb dvd dvdr emboss encode exif fam ffmpeg firefox flac fontconfig gallium gdbm gif glamor gpg gtk gtkstyle hardened iconv icu id3tag idn ipv6 jpeg jpeg2k justify lcms libnotify mac mad matroska mmx mmxext mng modules mp3 mp4 mpeg multilib musepack ncurses network-cron nls nptl nsplugin ogg opengl openmp pam pango pax_kernel pcre pdf perl pie png policykit popcnt ppds qt5 readline sdl seccomp session spell sse sse2 sse3 sse4_1 sse4_2 ssl ssp ssse3 startup-notification svg tcpd theora tiff truetype udev udisks unicode upower usb vdpau vim-syntax vorbis wavpack wxwidgets x264 xattr xcb xml xscreensaver xtpax xv xvid xvmc zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="log_config vhost_alias autoindex alias rewrite dir deflate filter mime negotiation auth_basic authn_file authz_host authz_user authz_groupfile cgi actions headers env setenvif authn_core authz_core unixd socache_shmcb access_compat" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64 pc" INPUT_DEVICES="evdev" KERNEL="linux" L10N="en ru" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en ru ru_RU" NGINX_MODULES_HTTP="access auth_basic autoindex browser charset empty_gif fastcgi geo gzip limit_conn limit_req map memcached proxy referer rewrite scgi split_clients ssi upstream_ip_hash userid uwsgi fancyindex" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-0" POSTGRES_TARGETS="postgres9_5" PYTHON_SINGLE_TARGET="python3_5" PYTHON_TARGETS="python2_7 python3_5" QEMU_SOFTMMU_TARGETS="x86_64 i386" QEMU_USER_TARGETS="x86_64 i386" RUBY_TARGETS="ruby22" USERLAND="GNU" VIDEO_CARDS="nvidia nouveau" XFCE_PLUGINS="clock trash" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2018-03-20 19:44:04 UTC
This seems related to and . There is also a discussion containing workarounds in . Please work with upstream if you have issues with this, it isn't really a downstream issue.