Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PGP: Enable creating a UID directory for GnuGP agent socket in /run/gnupg/user #285

Merged

Conversation

ppisar
Copy link
Contributor

@ppisar ppisar commented Sep 29, 2023

librepo used to precreate the directory in /run/user to make sure a GnuPG agent executed by GPGME library, one of librepo's PGP backends, places its socket there.

The UID directories there are normally created and removed by systemd (logind PAM session). librepo created them for a case when a package manager is invoked out of systemd session, before the super user logs in. E.g. by a timer job to cache repository metadata.

A problem was when this out-of-session process was a SELinux-confined process creating files with its own SELinux label. Then the UID directory was created with a SELinux label different from the one expected by systemd.

Later, the mismatching label interfered with systemd when logging out a corresponding user.

This patch fixes it by creating the UID directories in a different path which is not managed by systemd. That path is /run/gnupg/user. GnuPG recognizes the path if it is compiled with
--enable-run-gnupg-user-socket option.

Unfortunatelly, this patch cannot keep precreating directories in the old /run/user path for compatibility with GnuPG built without that option because that would still break systemd. Also GPGME does not provide a way for checking how GnuPG was configured. Therefore users who rely on precreating the directories by librepo need to keep their librepo and GnuPG in synchronization. So this patch adds a new -DUSE_RUN_GNUPG_USER_SOCKET=ON CMake option to use /run/gnupg/user. A default behavior is using the old /run/user.

https://issues.redhat.com/browse/RHEL-10720

…nupg/user

librepo used to precreate the directory in /run/user to make sure
a GnuPG agent executed by GPGME library, one of librepo's PGP
backends, places its socket there.

The UID directories there are normally created and removed by systemd
(logind PAM session). librepo created them for a case when a package
manager is invoked out of systemd session, before the super user logs
in. E.g. by a timer job to cache repository metadata.

A problem was when this out-of-session process was a SELinux-confined
process creating files with its own SELinux label. Then the UID
directory was created with a SELinux label different from the one expected
by systemd.

Later, the mismatching label interfered with systemd when logging out
a corresponding user.

This patch fixes it by creating the UID directories in a different
path which is not managed by systemd. That path is /run/gnupg/user.
GnuPG recognizes the path if it is compiled with
--enable-run-gnupg-user-socket option.

Unfortunatelly, this patch cannot keep precreating directories in the
old /run/user path for compatibility with GnuPG built without that
option because that would still break systemd. Also GPGME does not
provide a way for checking how GnuPG was configured. Therefore
users who rely on precreating the directories by librepo need to
keep their librepo and GnuPG in synchronization. So this patch adds
a new -DUSE_RUN_GNUPG_USER_SOCKET=ON CMake option to use
/run/gnupg/user. A default behavior is using the old /run/user.

https://issues.redhat.com/browse/RHEL-10720
@jrohel jrohel self-assigned this Oct 4, 2023
@jrohel
Copy link
Contributor

jrohel commented Oct 6, 2023

LGTM

@jrohel jrohel merged commit e206603 into rpm-software-management:master Oct 6, 2023
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants