Hi Ramakrishnan-- On Tue 2016-09-06 05:12:07 -0400, Ramakrishnan Muthukrishnan wrote: > On Tue, Sep 6, 2016, at 12:47 PM, Daniel Kahn Gillmor wrote: >> If it still fails, what happens when you expand the permissions on your >> terminal before doing an su ? For example, if your Keyring Account is >> named "keyring-account" and you have the acl package installed, you >> might try a wrapper like this: >> >> #!/bin/sh >> setfacl -m u:keyring-account:rw $(tty) >> su - keyring-account >> setfacl -x u:keyring-account $(tty) > > Ok, I tried that. The first setfacl command is returning an error: > > "setfacl: /dev/pts/1: Operation not supported" > > After logging in, it had the same behaviour as before, failing with > Permission denied message. I am guessing the setfacl failed and hence it > didn't have any effect.
hm, right, it looks like devpts doesn't support acls: https://serverfault.com/questions/398659/acl-on-dev-pts/398683 https://lwn.net/Articles/121773/ That's a shame. what about changing the group membership of the tty before triggering the su - ? chgrp $(getent passwd keyring-user | cut -f4 -d:) $(tty) chmod g+rw $(tty) to be clear: these tests are all diagnostics just to make sure we understand the problem. I'd like in general to come up with a more useful configuration that meets your goals. To be clear: i think you're doing these operations separately because you don't want to expose your secret key material to the Main Account. Is that right? If so, have you considered launching a gpg-agent process from your Keyring Account and exporting an "extra socket" that is accessible by your Main Account? Would an arrangement like that meet your needs? > I just tried logging into the machine from the terminal (with the > pinentry-program set to the ncurses version setup in the conf file) and > that worked perfectly. So, this "bug" is not blocking me from signing > the keys. OK, that's good to hear :) --dkg
signature.asc
Description: PGP signature