Page MenuHome GnuPG
Create Task
Maniphest T2945

gpg should explicitly set output file permissions during decryption
Open, NormalPublic
Actions

Description

When decrypting a file, GnuPG does not copy over the original file mode:

anarcat@curie:~$ echo foo > foo
anarcat@curie:~$ chmod 600 foo
anarcat@curie:~$ gpg -e -r anarcat@debian.org foo
anarcat@curie:~$ ls -l foo*
-rw------- 1 anarcat anarcat 4 fév 6 13:03 foo
-rw-r--r-- 1 anarcat anarcat 594 fév 6 13:04 foo.gpg

This can lead to involuntary content disclosure. For example, I had this in my
Git configuration:

[diff "gpg"]

    textconv = gpg --batch --keyid-format long --verbose

(relation to T2942 should be noted here)

With the above configuration, "git log -p -1" will make git create a temporary
file in /tmp/XXXX_foo.gpg (properly unreadable) and pass it to gpg, which will
decrypt it, and create a publicly readable copy of the cleartext content of the
private file.

Encryption is not affected, oddly enough.

I would suggest that decryption operations should always happen with a 077
umask, or at least 007. At the very least, original file permissions should be
preserved.

Details

Version
2.1.18

Event Timeline

anarcat set Version to 2.1.18.Feb 6 2017, 7:07 PM
anarcat added projects: gnupg, Bug Report.
anarcat added a subscriber: anarcat.
anarcat added a comment.Feb 6 2017, 7:16 PM

well, it looks like i stand corrected: the problem happens both in encryption
and decryption. i *meant* to post about decryption, but i only pasted the setup
part... :p

[1012]anarcat@curie:~130$ rm foo
rm : supprimer fichier 'foo' ? y
[1013]anarcat@curie:~$ gpg foo.gpg
gpg: encrypted with 4096-bit RSA key, ID A51D5B109C5A5581, created 2009-05-29

"Antoine Beaupré <anarcat@orangeseeds.org>"

[1014]anarcat@curie:~$ ls -al foo*
-rw-r--r-- 1 anarcat anarcat 4 fév 6 13:16 foo
-rw-r--r-- 1 anarcat anarcat 594 fév 6 13:04 foo.gpg
[1015]anarcat@curie:~$ chmod 600 foo.gpg
[1016]anarcat@curie:~$ ls -al foo*^C
[1016]anarcat@curie:~130$ rm foo
rm : supprimer fichier 'foo' ? y
[1017]anarcat@curie:~$ gpg foo.gpg
gpg: encrypted with 4096-bit RSA key, ID A51D5B109C5A5581, created 2009-05-29

"Antoine Beaupré <anarcat@orangeseeds.org>"

[1018]anarcat@curie:~$ =k^C
[1018]anarcat@curie:~130$ ls -al foo*
-rw-r--r-- 1 anarcat anarcat 4 fév 6 13:16 foo
-rw------- 1 anarcat anarcat 594 fév 6 13:04 foo.gpg

dkg added a subscriber: dkg.Feb 6 2017, 7:23 PM

I don't think it's a problem that the files created during encryption simply
obey the umask.

I do think that when gpg creates sensitive data, though, it should limit the
mode of its output to the mode of its input (filtered by the umask, of course)

if the mode of the input is INMODE, and the umask is UMASK, during decryption,
when gpg creates an output file, it should set the mode to (INMODE & ~UMASK).

(if gpg is decrypting and sending output to stdout, perhaps it wants to try
fchmod (1, INMODE & ~UMASK) as well?)

dkg added a comment.Feb 6 2017, 7:24 PM

Sorry: to clarify my previous remark: i don't think gpg should change from its
current behavior during *encryption*. I do think it should be more constrained
in its output during *decryption*.

werner renamed this task from gpg creates publicly readable files during decryption to gpg should explicitly set output file permissions during decryption.Feb 13 2017, 7:29 PM
werner removed a project: Bug Report.
werner added a subscriber: werner.

Would be surprising for a Unix tool but given that we do that for certain files
anyway, I can imagine to implement this. (but no stdout fiddling - if that even
works.)

I'll change the title and set the priority to feature.

werner added a project: Feature Request.Feb 13 2017, 7:29 PM