apt-key leaves files in /dev open after exit
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apt (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
curtin (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
gnupg2 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
In Ubuntu 16.10, but not in 16.04, apt-key leaves /dev/null and /dev/urandom open after exiting. Here's a procedure to replicate the problem:
1. Install Ubuntu 16.10. (I used MAAS for this task.)
2. Install the "lsof" package (which is not installed by default).
3. Type "lsof | grep dev" to see open files.
4. Type "sudo apt-key adv --recv-keys --keyserver hkp://keyserver
5. Type "lsof | grep dev" again.
6. Compare the output of the two "lsof" commands.
I'm attaching two files, before.txt and after.txt, that show the before and after results from "lsof | grep dev" in this scenario. Note that the /dev/null and /dev/urandom files are both open after apt-key is run, but not before. This problem does NOT occur with Ubuntu 16.04.
This problem is preventing us (the server certification team) from importing keys in a custom MAAS preseed script; after installing successfully, umounting the installed image fails because of the open files on /dev.
That isn't directly the fault of apt-key. It uses gpg which in its >= 2.0 versions has split its operations into a multitude of daemons for security reasons. The daemons should be terminating themselves a few seconds after the directory they operate in disappears. That is at least the case for gpg-agent, but "a few seconds" is obviously too slow if you are in a hurry, so apt-key tries to kill it via gpgconf --kill gpg-agent (which isn't supported in all gpg version, but at least in the one in ubuntu I hope). The manpage tells me that this isn't supported for dirmngr through, which is the daemon left in your case, so solving that from the apt-key side isn't exactly easy (short of implementing a sub-subprocess supervisor in shell script…) so I would feel tempted to declare that the problem of gpg and invalid for apt-key.
That said, your apt-key command is bad and should be replaced. Getting keys from a keyserver is hopelessly insecure (it is better with recent gpg versions) but still: Your use of a short-keyid screams security problem due to easy collisions and hkp is a cleartext protocol so just asking for MITM (and at least older gpg versions do no checks at all on the received key(s)).
I guess the simplest & best solution is to ship the key in your preseed script and drop it with an appropriate name (ending in .gpg) in /etc/apt/ trusted. gpg.d/ – as a bonus, your system will not need gnupg installed (at least in terms of apt), gpgv will be enough.