Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 85263 - signing with gnupg-1.4* fails
Summary: signing with gnupg-1.4* fails
Status: RESOLVED FIXED
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Repoman (show other bugs)
Hardware: All All
: High critical (vote)
Assignee: Crypto team [DISABLED]
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 136665
  Show dependency tree
 
Reported: 2005-03-14 14:14 UTC by Robin Johnson
Modified: 2009-10-01 22:08 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
strace2.log.bz2 (strace2.log.bz2,291.27 KB, application/octet-stream)
2006-06-14 03:48 UTC, Robin Johnson
Details
strace3.log (strace3.log,9.18 KB, text/plain)
2006-06-14 04:28 UTC, Robin Johnson
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-03-14 14:14:43 UTC
Since upgrading to gnupg-1.4*, repoman goes into an infinite loop trying to sign the manifest, and failing:

!!! YOU MUST sign the Manifest.
!!! You can also disable this for the time being by removing FEATURES='sign'gpg: WARNING: unsafe ownership on homedir `/home/robbat2/.gnupg'
gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x81220a4.curie-int.18765': Permission denied
gpg: keyblock resource `/home/robbat2/.gnupg/secring.gpg': general error
gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x81220a4.curie-int.18765': Permission denied
gpg: keyblock resource `/home/robbat2/.gnupg/pubring.gpg': general error
gpg: no default secret key: secret key not available
gpg: .//Manifest: clearsign failed: secret key not available
!!! YOU MUST sign the Manifest.
!!! You can also disable this for the time being by removing FEATURES='sign'gpg: WARNING: unsafe ownership on homedir `/home/robbat2/.gnupg'
gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x81220a4.curie-int.18766': Permission denied
gpg: keyblock resource `/home/robbat2/.gnupg/secring.gpg': general error
gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x81220a4.curie-int.18766': Permission denied
gpg: keyblock resource `/home/robbat2/.gnupg/pubring.gpg': general error
gpg: no default secret key: secret key not available
gpg: .//Manifest: clearsign failed: secret key not available
Exiting due to signal

This is running 'repoman ci' as root.
The net effect is that the regenerated Manifest doesn't get signed, and doesn't get commited, which is a major problem if you miss it, and the wrong Manifest gets out in a sync.

I am not certain, but the above may be due to a change in gnupg and not nessicarily repoman.
Comment 1 Jason Stubbs (RETIRED) gentoo-dev 2005-04-12 07:06:54 UTC
Not sure but at a guess:

First you changed to root with "su" rather than "su -" so your HOME didn't get updated. Then...

gpg: WARNING: unsafe ownership on homedir `/home/robbat2/.gnupg'

Your .gnupg has the correct permissions but gpg incorrectly detects it because the user id doesn't match.

gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x81220a4.curie-int.18765': Permission denied
gpg: keyblock resource `/home/robbat2/.gnupg/secring.gpg': general error
gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x81220a4.curie-int.18765': Permission denied
gpg: keyblock resource `/home/robbat2/.gnupg/pubring.gpg': general error
gpg: no default secret key: secret key not available
gpg: .//Manifest: clearsign failed: secret key not available

gpg can't write to .gnupg because the user id doesn't match and it can't figure out what the deal is.


I'll leave the choice up to you.. Close this as invalid or reassign it to whoever does gpg so that perhaps they might patch it to handle the "running gpg as root but my user's environment" case a bit better.

As for the infinite loop bit, the best we can do is to limit it to five runs or something like that. The chance of broken manifests is always there unless infra prevents their propagation.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-04-12 12:05:39 UTC
No, I don't use su like that.
Most of the time I'm logged in directly as root via SSH (Limited to a trusted network, and auth via SSH keys only).

In my make.conf I have:
PORTAGE_GPG_DIR=/home/robbat2/.gnupg
PORTAGE_GPG_KEY=3233C22C

I'll pass this along to the GPG maintainer for now, maybe they can help more, as it's definetly a regression in GPG from 1.2 (worked) to 1.4 (broken).
Comment 3 Jason Stubbs (RETIRED) gentoo-dev 2005-04-22 20:59:46 UTC
bug 72873 handles repoman's infinite loop issue.
Comment 4 Daniel Black (RETIRED) gentoo-dev 2005-06-21 05:48:52 UTC
still a problem? 
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-07-06 09:02:49 UTC
Yes the problem still exists.

OUTPUT follows:
>>> Computed message digests.

Checking in Manifest;
/var/cvsroot/gentoo-x86/net-fs/autofs/Manifest,v  <--  Manifest
new revision: 1.54; previous revision: 1.53
done
gpg: WARNING: unsafe ownership on homedir `/home/robbat2/.gnupg'
gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x811c0a4.curie-
int.4839': Permission denied
gpg: keyblock resource `/home/robbat2/.gnupg/secring.gpg': general error
gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x811c0a4.curie-
int.4839': Permission denied
gpg: keyblock resource `/home/robbat2/.gnupg/pubring.gpg': general error
gpg: no default secret key: secret key not available
gpg: .//Manifest: clearsign failed: secret key not available
!!! YOU MUST sign the Manifest.
!!! You can also disable this for the time being by removing 
FEATURES='sign'gpg: WARNING: unsafe ownership on homedir `/home/robbat2/.gnupg'
gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x811c0a4.curie-
int.4843': Permission denied
gpg: keyblock resource `/home/robbat2/.gnupg/secring.gpg': general error
gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x811c0a4.curie-
int.4843': Permission denied
gpg: keyblock resource `/home/robbat2/.gnupg/pubring.gpg': general error
gpg: no default secret key: secret key not available
gpg: .//Manifest: clearsign failed: secret key not available
!!! YOU MUST sign the Manifest.
!!! You can also disable this for the time being by removing 
FEATURES='sign'gpg: WARNING: unsafe ownership on homedir `/home/robbat2/.gnupg'
gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x811c0a4.curie-
int.4846': Permission denied
gpg: keyblock resource `/home/robbat2/.gnupg/secring.gpg': general error
gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x811c0a4.curie-
int.4846': Permission denied
gpg: keyblock resource `/home/robbat2/.gnupg/pubring.gpg': general error
gpg: no default secret key: secret key not available
gpg: .//Manifest: clearsign failed: secret key not available
!!! YOU MUST sign the Manifest.
!!! You can also disable this for the time being by removing 
FEATURES='sign'gpg: WARNING: unsafe ownership on homedir `/home/robbat2/.gnupg'
gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x811c0a4.curie-
int.4848': Permission denied
gpg: keyblock resource `/home/robbat2/.gnupg/secring.gpg': general error
gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x811c0a4.curie-
int.4848': Permission denied
gpg: keyblock resource `/home/robbat2/.gnupg/pubring.gpg': general error
gpg: no default secret key: secret key not available
gpg: .//Manifest: clearsign failed: secret key not available
!!! YOU MUST sign the Manifest.
!!! You can also disable this for the time being by removing 
FEATURES='sign'Exiting due to signal

The 'Exiting due to signal' is due to me hitting ctrl-C. The infinite loop 
still exists, however it doesn't spew so fast anymore because of the 3 second 
delay added in bug #72873.
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-12-01 00:15:52 UTC
*bump*
the problem still exists.
Comment 7 Alec Warner archtester Gentoo Infrastructure gentoo-dev Security 2006-01-27 20:11:30 UTC
Is this still a problem?  How are people signing stuff if it always loops? :)
Does this happen all the time or just some of the time...etc...Can anyone besides Robin reproduce this bug?
Comment 8 Peter Hyman 2006-06-14 03:07:12 UTC
(In reply to comment #2)
> No, I don't use su like that.
> Most of the time I'm logged in directly as root via SSH (Limited to a trusted network, and auth via SSH keys only).
> 
> In my make.conf I have:
> PORTAGE_GPG_DIR=/home/robbat2/.gnupg
> PORTAGE_GPG_KEY=3233C22C
> 

Try changing the PORTAGE_GPG_KEY to 0x3233C22C, or put another identifier (like an email or username). In addition, check to see if there is a /root/.gnupg directory and any gpg.conf in there. If so, make sure it either contains the same thing as your home, or just  make sure any default key is the one you want.
Comment 9 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-06-14 03:36:29 UTC
I changed PORTAGE_GPG_KEY to 0x3233C22C, as you requested, same behavior.
Changing to a username or email will NOT give me the desired effect. 0x3233C22C is a subkey on my main key, that I intend on using explictly for signing commits (this will be made clear when I post the signing proposals in a few days).

I'm going to strace this entire operation in a moment for you.

# !523
repoman ci -m 'Update metadata.'

Setting paths:
PORTDIR = "/usr/portage"
PORTDIR_OVERLAY = ""

RepoMan scours the neighborhood...
>>> Creating Manifest for /usr/gentoo-cvs/gentoo-x86/app-backup/amanda
  digest.assumed                 1
   digest-amanda-2.4.5::amanda-2.4.5.tar.gz

  digest.assumed                 1
   digest-amanda-2.4.5::amanda-2.4.5.tar.gz
Performing a cvs -n up with a little magic grep to check for updates.
* 1 files being committed... 0 have headers that will change.
* Files with headers will cause the manifests to be made and recommited.
myupdates: ['./metadata.xml']
myheaders: []


Using commit message:
------------------------------------------------------------------------------
Update metadata.
(Portage version: 2.1)
------------------------------------------------------------------------------

/var/cvsroot/gentoo-x86/app-backup/amanda/metadata.xml,v  <--  metadata.xml
new revision: 1.3; previous revision: 1.2

>>> Creating Manifest for /usr/gentoo-cvs/gentoo-x86/app-backup/amanda
  digest.assumed                 1
   digest-amanda-2.4.5::amanda-2.4.5.tar.gz
gpg: WARNING: unsafe ownership on homedir `/home/robbat2/.gnupg'
gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x8129260.curie-int.8076': Permission denied
gpg: keyblock resource `/home/robbat2/.gnupg/secring.gpg': general error
gpg: failed to create temporary file `/home/robbat2/.gnupg/.#lk0x8129260.curie-int.8076': Permission denied
gpg: keyblock resource `/home/robbat2/.gnupg/pubring.gpg': general error
gpg: no default secret key: secret key not available
gpg: ./Manifest: clearsign failed: secret key not available
!!! "!!! gpg exited with '512' status"
!!! Disabled FEATURES='sign'
/var/cvsroot/gentoo-x86/app-backup/amanda/Manifest,v  <--  Manifest
new revision: 1.19; previous revision: 1.18
Comment 10 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-06-14 03:48:57 UTC
Created attachment 89123 [details]
strace2.log.bz2

Sorry about the compression, the file was too big for a direct upload.
Comment 11 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-06-14 03:58:56 UTC
The interesting bits, with line numbers.
...
77671 [pid  8541] mmap2(NULL, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f9d000
77672 [pid  8541] capset(0x19980330, 0, {CAP_IPC_LOCK, CAP_IPC_LOCK, 0}) = 0
77673 [pid  8541] mlock(0xb7f9d000, 32768)    = 0
77674 [pid  8541] capset(0x19980330, 0, {0, CAP_IPC_LOCK, 0}) = 0
77675 [pid  8541] getuid32()                  = 0
77676 [pid  8541] geteuid32()                 = 0
77677 [pid  8541] access("/home/robbat2/.gnupg/gpg.conf-1.4.3-ecc0.1.6", R_OK) = -1 EACCES (Permission denied)
77678 [pid  8541] access("/home/robbat2/.gnupg/gpg.conf-1.4.3", R_OK) = -1 EACCES (Permission denied)
77679 [pid  8541] access("/home/robbat2/.gnupg/gpg.conf-1.4", R_OK) = -1 EACCES (Permission denied)
77680 [pid  8541] access("/home/robbat2/.gnupg/gpg.conf-1", R_OK) = -1 EACCES (Permission denied)
77681 [pid  8541] access("/home/robbat2/.gnupg/gpg.conf", R_OK) = -1 EACCES (Permission denied)
77682 [pid  8541] stat64("/home/robbat2/.gnupg", {st_dev=makedev(8, 10), st_ino=10748027, st_mode=S_IFDIR|0700, st_nlink=3, st_uid=10000, st_gid=100, st_b      lksize=4096, st_blocks=8, st_size=4096, st_atime=2005/02/09-22:08:00, st_mtime=2006/06/14-02:35:55, st_ctime=2006/06/14-02:35:55}) = 0
77683 [pid  8541] stat64("/home/robbat2", {st_dev=makedev(8, 10), st_ino=10747905, st_mode=S_IFDIR|0755, st_nlink=256, st_uid=10000, st_gid=100, st_blksiz      e=4096, st_blocks=112, st_size=53248, st_atime=2005/06/02-19:58:09, st_mtime=2006/06/14-03:30:03, st_ctime=2006/06/14-03:30:03}) = 0
77684 [pid  8541] getuid32()                  = 0
77685 [pid  8541] write(2, "gpg: ", 5gpg: )        = 5
77686 [pid  8541] write(2, "WARNING: unsafe ownership on hom"..., 60WARNING: unsafe ownership on homedir `/home/robbat2/.gnupg'
77687 ) = 60
77688 [pid  8541] open("/home/robbat2/.gnupg/options", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied)
77689 [pid  8541] access("/home/robbat2/.gnupg/random_seed", F_OK) = -1 EACCES (Permission denied)
77690 [pid  8541] open("/home/robbat2/.gnupg/secring.gpg", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied)
77691 [pid  8541] access("/home/robbat2/.gnupg/secring.gpg", F_OK) = -1 EACCES (Permission denied)
77692 [pid  8541] access("/home/robbat2/.gnupg", F_OK) = 0
77693 [pid  8541] getpid()                    = 8541
77694 [pid  8541] uname({sysname="Linux", nodename="curie-int", release="2.6.13-gentoo", version="#1 Fri Sep 2 00:50:40 PDT 2005", machine="i686"}) = 0
77695 [pid  8541] getpid()                    = 8541
77696 [pid  8541] open("/home/robbat2/.gnupg/.#lk0x8129260.curie-int.8541", O_WRONLY|O_CREAT|O_EXCL|O_LARGEFILE, 0644) = -1 EACCES (Permission denied)
77697 [pid  8541] write(2, "gpg: ", 5gpg: )        = 5
77698 [pid  8541] write(2, "failed to create temporary file "..., 103failed to create temporary file `/home/robbat2/.gnupg/.#lk0x8129260.curie-int.8541':       Permission denied
77699 ) = 103







Very interestingly, look at these:
77675 [pid  8541] getuid32()                  = 0
77676 [pid  8541] geteuid32()                 = 0
...
77684 [pid  8541] getuid32()                  = 0
...
77691 [pid  8541] access("/home/robbat2/.gnupg/secring.gpg", F_OK) = -1 EACCES (Permission denied)

If we are running as root, why did access to that file get blocked? Maybe something with the capabilties stuff?
Comment 12 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-06-14 04:06:40 UTC
This just in, it is a breakage in the capabilties stuff.
USE=-caps emerge =gnupg-1.4*
and then repoman works fine.
Comment 13 Peter Hyman 2006-06-14 04:16:02 UTC
mars tmp #  gpg -a --clearsign -u 0x467fbf7d --homedir /home/peter/.gnupg test.sh
gpg: WARNING: unsafe ownership on homedir `/home/peter/.gnupg'

You need a passphrase to unlock the secret key for
user: "Peter Hyman (GnuPG Key for Peter Hyman) <pete@peterhyman.com>"
1024-bit DSA key, ID 467FBF7D, created 2003-06-20

File `test.sh.asc' exists. Overwrite? (y/N) y

This was an attempt to simulate the signing of a file with a key owned by a user as root. Works for me 
Comment 14 Peter Hyman 2006-06-14 04:17:58 UTC
Great! I am glad you were able to discover that. I have -caps in my use flags for gnupg. So, I never would have been able to reproduce. The repoman source for this action looked OK afaik. I was stumped! Good work!
Comment 15 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-06-14 04:28:10 UTC
Created attachment 89127 [details]
strace3.log

Here is a log of just gnupg running, that shows only it's failure, and none of the repoman bloat.
Comment 16 Peter Hyman 2006-06-14 04:37:09 UTC
***
*** WARNING: using capabilities with GnuPG is experimental code!
***" 

and

***
*** The use of capabilities on this system is not possible.
*** You need a recent Linux kernel and some patches:
***   fcaps-2.2.9-990610.patch      (kernel patch for 2.2.9)
***   fcap-module-990613.tar.gz     (kernel module)
***   libcap-1.92.tar.gz            (user mode library and utilities)
*** And you have to configure the kernel with CONFIG_VFS_CAP_PLUGIN
*** set (filesystems menu). Be warned: This code is *really* ALPHA.
***"

You did see this in configure, didn't you?
Comment 17 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-06-14 04:45:27 UTC
Miles ahead of you there.
I'm the developer that added libcap to the tree.
1.92 is a misnomer, they renumbered it.
1.92 was released in 1998. 1.10 is the current version.

Capabilities were alpha-level code in the 2.2 kernel, but that was MANY years ago.
They are stable in 2.6, it's just gnupg using them wrongly it seems.
Comment 18 Peter Hyman 2006-06-14 05:07:52 UTC
(In reply to comment #17)
> Miles ahead of you there.
(you and the rest of the world :) )

> I'm the developer that added libcap to the tree.
> 1.92 is a misnomer, they renumbered it.
> 1.92 was released in 1998. 1.10 is the current version.
> 
Shoot me! I'm the idiot! But seriously, I did not know your involvement.

> Capabilities were alpha-level code in the 2.2 kernel, but that was MANY years
> ago.
> They are stable in 2.6, it's just gnupg using them wrongly it seems.
> 
Well, at least it (gnupg) warns of that in configure. From my brief review, I am not sure what "capabilities" are added. And, btw, I was not able to find the VFS_CAP_PLUGIN anywhere in the kernel tree. Is a patch still needed? At least we know the cause, although not the solution, to the problem. :)

Comment 19 Peter Hyman 2006-06-14 05:11:53 UTC
no solutions other than -cap which is where I am at.
Comment 20 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-06-14 05:46:20 UTC
Here's a testcase of what gnupg SHOULD be doing.

Testcase output as a user:
initial - Caps: 134524940 is =i cap_setpcap-i
point #1 (should be cap_ipc_lock+ep) - Caps: 134524972 is =i cap_setpcap-i
39:errno=(1,Operation not permitted)
point #2 (should be cap_ipc_lock+p) - Caps: 134524972 is =i cap_setpcap-i
47:errno=(1,Operation not permitted)
point #3 (should be cap_ipc_lock-eip) - Caps: 134524972 is =i cap_setpcap,cap_ipc_lock-i
point #4 (Should be cap_ipc_lock+ep) - Caps: 134525004 is =i cap_setpcap,cap_ipc_lock-i
point #5 (should be all-eip) - Caps: 134525076 is =
point #6 (should be all+eip) - Caps: 134525124 is =
65:errno=(1,Operation not permitted)
end - Caps: 134525124 is =

Testcase output as root:
initial - Caps: 134524940 is =eip cap_setpcap-eip
point #1 (should be cap_ipc_lock+ep) - Caps: 134524972 is =eip cap_setpcap-eip
point #2 (should be cap_ipc_lock+p) - Caps: 134524972 is =eip cap_ipc_lock-e cap_setpcap-eip
point #3 (should be cap_ipc_lock-eip) - Caps: 134524972 is =eip cap_setpcap,cap_ipc_lock-eip
point #4 (Should be cap_ipc_lock+ep) - Caps: 134525004 is =eip cap_setpcap,cap_ipc_lock-eip
point #5 (should be all-eip) - Caps: 134525084 is =
point #6 (should be all+eip) - Caps: 134525132 is =
65:errno=(13,Permission denied)
end - Caps: 134525132 is =

Testcase:
#include <errno.h>
#include <fcntl.h>
#include <sys/capability.h>
#define O_LARGEFILE	0100000

#define FILENAME "/home/robbat2/.gnupg/.#lk0x8129260.curie-int.8541"

void print_cap(char* prefix) {
     cap_t current_cap = cap_get_proc();
     char* cap_string = cap_to_text(current_cap,NULL);
     printf("%s - Caps: %d is %s\n",prefix,current_cap,cap_string);
     cap_free(cap_string);
     cap_free(current_cap);
}

void pe(int l) {
	if(errno != 0) {printf("%d:errno=(%d,%s)\n",l,errno,strerror(errno)); }
	errno = 0;
}

int main(int argc, char** argv) {
	unlink(FILENAME);
	print_cap("initial");
	errno = 0;

	cap_t current_cap = cap_get_proc();
	cap_value_t caps[] = {CAP_IPC_LOCK};
	
	//cap_set_proc( cap_from_text("cap_ipc_lock+ep") );
	cap_set_flag(current_cap, CAP_EFFECTIVE, 1, caps, CAP_SET);
	pe(__LINE__);
	cap_set_flag(current_cap, CAP_PERMITTED, 1, caps, CAP_SET);
	pe(__LINE__);
	cap_set_proc(current_cap);
	print_cap("point #1 (should be cap_ipc_lock+ep)");

	//cap_set_proc( cap_from_text("cap_ipc_lock+p") );
	cap_set_flag(current_cap, CAP_EFFECTIVE, 1, caps, CAP_CLEAR); 
	pe(__LINE__);
	cap_set_flag(current_cap, CAP_PERMITTED, 1, caps, CAP_SET);
	pe(__LINE__);
	cap_set_proc(current_cap);
	print_cap("point #2 (should be cap_ipc_lock+p)");


	cap_set_flag(current_cap, CAP_EFFECTIVE, 1, caps, CAP_CLEAR);
	pe(__LINE__);
	cap_set_flag(current_cap, CAP_PERMITTED, 1, caps, CAP_CLEAR);
	pe(__LINE__);
	cap_set_flag(current_cap, CAP_INHERITABLE, 1, caps, CAP_CLEAR);
	pe(__LINE__);
	cap_set_proc(current_cap);
	print_cap("point #3 (should be cap_ipc_lock-eip)");
    
	cap_set_proc( cap_from_text("cap_ipc_lock+ep") );
	print_cap("point #4 (Should be cap_ipc_lock+ep)");
	cap_set_proc( cap_from_text("all-eip") );
	print_cap("point #5 (should be all-eip)");
	cap_set_proc( cap_from_text("all+eip") );
	print_cap("point #6 (should be all+eip)");

	int i = 42;
	i = open(FILENAME, O_WRONLY|O_CREAT|O_EXCL|O_LARGEFILE, 0644);
	int e = errno;
	pe(__LINE__);
	print_cap("end");
}
=== end of testcase

However:
cap_set_proc( cap_from_text("cap_ipc_lock+ep") );
and
cap_set_proc( cap_from_text("cap_ipc_lock+p") );
These are the existing code from gnupg.
The problem with them is that they CLEAR all of the other privileges.
This blocks root from accessing items that aren't owned by root ;-), like the .gnupg home directory.
Additionally, that capability can't actually be granted to users without the gpg binary being setuid, and still leaves things broken for root regardless.

crypto team: I vote for disabling capabilities usage in gnupg, since it's not entirely clear what upstream was actually trying to accomplish.
Comment 21 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-06-14 05:47:22 UTC
Peter: I'm just annoyed at myself that I didn't strace gnupg sooner and spot this.
Comment 22 Daniel Black (RETIRED) gentoo-dev 2006-06-14 06:52:48 UTC
Good one Robin. Happy to remove caps. If upstream want to fix it for next release (if there is one) may add it back. It still leaves a requirement for +suid for <2.6.9 kernels so I thinking of adding back to keep those 2.4 junkies happy. Thoughts?

Robin, you did the hard yards - want to report upstream this?
Comment 23 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-06-14 17:10:49 UTC
Ok, I've put out revision bumps of 1.4 and 1.9 that now have capabilities disabled. I'm going to talk to upstream and see what they think should be done.
Comment 24 Martin Mokrejš 2009-10-01 22:08:34 UTC
Hi, what is the current status of USE=caps support in gnupg-2.0.11 and pinentry-0.7.6? The latter package ebuild has in pkg_postinst():

<quote>
To do so activate the caps  USE flag and add the CAP_IPC_LOCK capability to the permitted set of your users."
</quote>

Googling around I could find what do you mean with this. Saw some hints about /etc/capabilities file but I do not have this file and maybe that was 2.2 kernel time?