gnupg permissions warning is mysterious and misleading
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gnupg (Ubuntu) |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
Binary package hint: gnupg
Technically this is the bad behavior in (invalid) bug 414812, but it should be fixed.
Using the GPG it will frequently say:
gpg: WARNING: unsafe ownership on configuration file...
The problem is it doesn't specify what is wrong, which apparently can be from several sources including running gpg as root (sudo or a sudo shell), or not having something right, but guessing is hard, particularly when "ls -l" and "ls -ld" show correct results. Running gpg as root is NOT unsafe ownership, it is the fact it is being run as root.
There are a lot of google hits without any specific answer including some marked [SOLVED].
gpg should explain, WARNING unsafe permissions ...
user running gpg does is not owner (group) of file XXX
.gnupg directory permissions should be
.gnupg/XXX permissions should be 400 or 200
or whatever else can cause the message to appear.
I am marking this as a security vulnerability because after the 6th fruitless attempt to figure out what is causing the message, the typical response would be to alias in the --no-permission
False alarms lead to disabling the alarm. An alarm which cannot be traced back to the cause easily (it took me over 20 minutes since I really, really wanted to find the cause) will be considered a false alarm.
A virus scanner that reports "there may be a virus somewhere on your system" is useless - it needs to say which file or at least some information where it can be traced back.
If GPG detects a real vulnerability it needs to be specific and clear so it can be corrected and not ignored.
I don't know if running it as root would be considered one - in which case it should warn about being run as root which would put the other warnings in context if they aren't canceled by detecting root.
Changed in gnupg (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Wishlist |
security vulnerability: | yes → no |
visibility: | private → public |