On Wed, Sep 7, 2016, at 04:48 PM, Daniel Kahn Gillmor wrote: > On Tue 2016-09-06 23:50:31 +0200, Ramakrishnan Muthukrishnan wrote: > > [dkg wrote:] > >> chgrp $(getent passwd keyring-user | cut -f4 -d:) $(tty) > > > > Hmm. That command errored out with a "permission denied". But the second > > one succeeded. > > sigh, sorry about that, i've been asking you to test things that i > really should have tried myself. it appears that the devpts filesystem > is much more limited than i expected it to be :/
No worries. I get to learn a bit in the process too and that's a nice thing about being a Free Software user. > >> chmod g+rw $(tty) > > > > As 'root', I added the keyring-user into the group 'tty' and then the > > signing worked just fine. > > hm, i'm not sure that's particularly safe. it implies that keyring-user > is able to write to any of the ttys on the system :/ Yes. As I wrote in the subsequent email, without adding keyring-user into the group (I did a `deluser keyring-user tty' to undo the above step), I was able to sign keys by adding just the read permission to the `group' members of tty. > maybe the right approach is to do something like hand over the tty as an > file descriptor? that'd require quite a bit more plumbing upstream :/ Hmm.. Yes, that is going to be a big change, I am guessing. > > I didn't know about exporting the extra socket. Still reading up on the > > gpg2 and associated programs. > > > > I think it is perfectly fine with the setup where I can switch to > > virtual terminal and log into the acccount. > > ok, i'm glad that setup works for you :) Please report back if you find > a good configuration that lets you use gpg-agent in this isolated mode. > I'll be at the OpenPGP.conf later this week and will try to brainstorm > with folks there about the right way to provide this sort of isolated > service effectively. Thanks very much. I will update the bts if I find anything interesting. Much appreciate your help. -- Ramakrishnan
