gpg issue

Jan Hudec bulb at ucw.cz
Wed Feb 15 07:05:56 GMT 2006 

On Tue, Feb 14, 2006 at 19:09:28 -0600, John A Meinel wrote:
> Robert Collins wrote:
> > On Tue, 2006-02-14 at 15:04 -0600, John A Meinel wrote:
> > 
> >> You are right that it is a problem with pinentry, but it is how gpg is
> >> using gpg-agent who is using pinentry.
> >> Doing:
> >>
> >> echo "foo" | gpg --clearsign
> >>
> >> Fails because pinentry cannot prompt the user
> >>
> >> echo "foo" | gpg --no-use-agent --clearsign
> >>
> >> Does successfully prompt me for a password.
> >>
> >> Do we need a temp dir, or just a temp file? Because by default a temp
> >> file is created as 0600, so other people can't read it anyway.
> > 
> > open file foo mode 0600
> > write content to be signed
> > close file foo
> > -attacker calls 'mv' and replaces the file with hostile content
> > gpg opens file foo
> > gpg signs bad content
> > gpg writes output file foo.asc
> > -attacker copies foo.asc and now has your signature on arbitrary data.
> 
> Actually, we don't close the file until we are done, (because it uses
> NamedTemporaryFile which deletes itself).
> 
> But you are write, that it could be overwritten if someone was trying
> really hard, and timed it just right. So I'll put it in a temporary
> write only by me directory.

There is one more solution. It is not too portable, but I think
workarounds like this don't have to be....

Bash and Zsh both support something called "process substitution". On
systems that support /proc (It originates in solaris and I believe is
present in all major unices today) it works like this:

$ command <(othercommand arguments)

starts othercommand arguments and gets it's output in some (arbitrary)
file descriptor. Then inherits that descriptor to the child and replaces
the parenthesis with /proc/self/fd/<fd>. Noone can replace /that/.

It requires to persuade python to not close that descriptor on exec --
which should be doable with fcntl.

> >> I need some sort of workaround, and I don't think I can easily do it
> >> with a plugin. Though I guess I can write a plugin for a new GPGStrategy.
> > 
> > You can do that, but I agree that you should not have to.
> 
> Well, it was easy enough to do so. And you convinced me enough that it
> shouldn't be part of the core of bzr for security purposes.

Certainly it should not be enabled by default.

------

Another think that IMHO should complete the hackaround would be:

try:
    try:
        os.ttyname(0)
        in = sys.stdin
    except OSError:
        in = open(os.ttyname(2), 'r')
except:
    warning("Failed to get terminal")

... and then when starting gpg, pass stdin=in

(just of the top of my head - might need some polishing)

-- 
						 Jan 'Bulb' Hudec <bulb at ucw.cz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20060215/fffc1759/attachment.pgp

More information about the bazaar mailing list