Job objects on Windows interfere with automatic start of gpg-agent
Closed, ResolvedPublic

Description

If a gpg.exe process is assigned to a job object, an automatically started gpg-agent.exe process inherits this association to the job object. While this is probably an uncommon situation, it can cause problems in the following scenario:

  1. The parent process creates a job object (Win32 system call CreateJobObject()).
  2. It starts gpg.exe and assigns it to the job object (AssignProcessToJobObject()).
  3. gpg.exe starts gpg-agent.exe.
  4. gpg.exe terminates.
  5. The parent process closes the job object. This terminates gpg-agent.exe similar to a kill (-process_group, SIGKILL) on Unix.

The gpg-agent process can't close and clean up its sockets. The next time gpg needs gpg-agent, it tries to connect it through the broken sockets and waits several seconds before it gives up and starts a new gpg-agent. This can considerably slow down decryptions.

jegrp created this task.Jan 21 2019, 6:58 PM

I've developed a simple patch that sets the CREATE_BREAKAWAY_FROM_JOB flag when creating a new background process. This flag requires a special permission on the job object, which is tested first. This means that the patch only works if the parent process sets JOB_OBJECT_LIMIT_BREAKAWAY_OK on the job object, otherwise the behavior should be as without the patch.

aheinecke triaged this task as Normal priority.
aheinecke added a subscriber: aheinecke.

That is a very interesting problem that we did not have on our radar.

Thanks for your patch. I have to look at some documentation to understand it, but I try to have it included in the next release.

fwiw. Your patch is beautiful in which it follows our coding style and debug output. I'm confident that we will accept it but currently I have to read up on Job's a bit.

jegrp added a comment.Mar 26 2019, 6:49 PM

From: aheinecke (Andre Heinecke)
Sent: Montag, 28. Januar 2019 19:25

fwiw. Your patch is beautiful in which it follows our coding style and
debug output. I'm confident that we will accept it but currently I have
to read up on Job's a bit.

Is there a way I could help you with this? This issue is hampering adoption
of GnuPG 2 here.

--

Jan Echternach

Sorry, this did not make it into 3.1.6. But I'll definitely see about it for the next release. If it is an institutional / corporate issue you could also contract us through www.gnupg.com

aheinecke changed the task status from Open to Testing.Apr 29 2019, 9:37 AM

I've applied your patch with an additional comment to our master branch. Thanks!

aheinecke closed this task as Resolved.Sep 9 2019, 11:23 AM