Package: dirmngr
Version: 1.1.0-2
Severity: normal
In correspondence with upstream about dirmngr [0], Werner Koch raised
this concern about its debian packaging:
> Get the permissions for Dirmngr right; last time I checked it was still
> run as root.
I believe he's referring to the system daemon, which appears to be the
case on my debian system:
0 dkg@pip:~/tmp$ COLUMNS=200 ps -F $(pidof dirmngr)
UID PID PPID C SZ RSS PSR STIME TTY STAT TIME CMD
root 23395 1 0 1175 636 0 Mar13 ? Ss 0:11
/usr/bin/dirmngr --daemon --sh
0 dkg@pip:~/tmp$
Given that the socket it listens on is world-writable, this suggests
that any bugs in dirmngr present an opportunity for privilege
escalation.
Regards,
--dkg
[0] http://lists.gnupg.org/pipermail/gnupg-devel/2012-March/026620.html
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-1-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages dirmngr depends on:
ii adduser 3.113+nmu1
ii dpkg 1.16.1.2
ii install-info 4.13a.dfsg.1-8
ii libassuan0 2.0.3-1
ii libc6 2.13-27
ii libgcrypt11 1.5.0-3
ii libgpg-error0 1.10-3
ii libksba8 1.2.0-2
ii libldap-2.4-2 2.4.28-1.1
ii libpth20 2.0.7-16
ii lsb-base 3.2-28.1
dirmngr recommends no packages.
dirmngr suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
