Permission denied for root on other user's tty
Open, HighPublic

Description

I was trying to use gpg -d as root to decrypt file with backup encrypted with a passphrase on workstation and got "permission denied" error. Previously this works without errors.

$ id -u -n
powerman
$ ls -l $XAUTHORITY $GPG_TTY
crw--w---- 1 powerman tty      136, 7 Apr 16 12:26 /dev/pts/7
-rw------- 1 powerman powerman     49 Apr 14 19:37 /home/powerman/.Xauthority
$ echo GETPIN | pinentry-gtk-2
OK Pleased to meet you
D works
OK
$ echo GETPIN | pinentry-gtk-2 -T $GPG_TTY
OK Pleased to meet you
D works again
OK
$ echo GETPIN | pinentry-curses -T $GPG_TTY 
OK Pleased to meet you
D works too
OK

So far so good. Let's switch to root:

$ sudo -i
Password:
# id -u -n
root
# ls -l $XAUTHORITY $GPG_TTY
crw--w---- 1 powerman tty      136, 7 Apr 16 12:29 /dev/pts/7
-rw------- 1 powerman powerman     49 Apr 14 19:37 /home/powerman/.Xauthority
# echo GETPIN | pinentry-gtk-2
No protocol specified
OK Pleased to meet you
S ERROR gtk2.? 83918950 
ERR 83918950 Inappropriate ioctl for device <Pinentry>
# echo GETPIN | pinentry-gtk-2 -T $GPG_TTY
No protocol specified
OK Pleased to meet you
S ERROR gtk2.? 83918849 
ERR 83918849 Permission denied <Pinentry>
# echo GETPIN | pinentry-curses -T $GPG_TTY
OK Pleased to meet you
S ERROR curses.? 83918849 
ERR 83918849 Permission denied <Pinentry>

Now, we change file permissions and it helps:

# chmod o+rw $XAUTHORITY
# echo GETPIN | pinentry-gtk-2
OK Pleased to meet you
D fixed
OK
# echo GETPIN | pinentry-gtk-2 -T $GPG_TTY
OK Pleased to meet you
D fixed too
OK
# chmod o+rw $GPG_TTY
# echo GETPIN | pinentry-curses -T $GPG_TTY
OK Pleased to meet you
D also fixed
OK

Original report: https://bugs.gentoo.org/640230
Related issues: T1391, T2739

Details

Version
pinentry-1.0.0
powerman created this object in space S1 Public.
werner added a subscriber: werner.Apr 16 2018, 12:47 PM

Would you be able to test with pinentry 1.1.0 which has a few things to make debugging easier and is also what I am testing against. To check what permissions are wronf I would suggest to run under strace.

Just tested 1.1.0 - no difference. BTW, check references issues, they contain strace output and mention why this happens: dropped root capabilities to ignore file permissions.

werner triaged this task as High priority.Apr 17 2018, 8:37 PM
werner claimed this task.