[Bug 1124847] New: presence of gpg key disables ulimit and coredump in X11 session
http://bugzilla.suse.com/show_bug.cgi?id=1124847 Bug ID: 1124847 Summary: presence of gpg key disables ulimit and coredump in X11 session Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: ohering@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Fresh 15.0 in a VM, with XFCE desktop. I have not tried other desktops. After first boot, run xterm and ulimit -a: core is unlimited. Create some ssh key, reboot. After second boot, run xterm and ulimit -a: core is unlimited. Create some gpg key with 'gpg --quick-genkey string', reboot. After third boot, run xterm and ulimit -a: core is ... zero. Because "ulimit -c" is zero (via gpg-agent), no crashes are recorded as core files and the info about a crash is lost. What I found so far via debug kernel: lightdm calls bash, which does 'exec ssh-agent', which does 'exec gpg-agent', which disables ulimit -c, then does 'exec xinitrc'. xfce4-session starts with disabled core, and all apps it launches inherit that setting. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1124847
http://bugzilla.suse.com/show_bug.cgi?id=1124847#c1
--- Comment #1 from Olaf Hering
http://bugzilla.suse.com/show_bug.cgi?id=1124847
Jiachen Zhang
http://bugzilla.suse.com/show_bug.cgi?id=1124847
http://bugzilla.suse.com/show_bug.cgi?id=1124847#c3
Vítězslav Čížek
http://bugzilla.suse.com/show_bug.cgi?id=1124847
http://bugzilla.suse.com/show_bug.cgi?id=1124847#c4
--- Comment #4 from Olaf Hering
I can confirm this.
Wayland does not use the X11 init scripts, so it is likely unaffected. The bug in gpg-agent is present since a decade. There is a code path that does exec(). This path must not fiddle with ulimit. There is another code path that does fork(). This path is free to tweak ulimit for the livetime of this process. There is another code path that checks if gpg-agent is running. This path most likely does not need to care about ulimit. I suggest to move disable_core_dumps() into the child. Up to this point no security relevant things happend AFAICS. Fix neededed for SLE12 and inherited codebases. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1124847
http://bugzilla.suse.com/show_bug.cgi?id=1124847#c5
--- Comment #5 from Pedro Monreal Gonzalez
http://bugzilla.suse.com/show_bug.cgi?id=1124847
http://bugzilla.suse.com/show_bug.cgi?id=1124847#c6
Pedro Monreal Gonzalez
http://bugzilla.suse.com/show_bug.cgi?id=1124847
http://bugzilla.suse.com/show_bug.cgi?id=1124847#c7
--- Comment #7 from Pedro Monreal Gonzalez
http://bugzilla.suse.com/show_bug.cgi?id=1124847
http://bugzilla.suse.com/show_bug.cgi?id=1124847#c8
--- Comment #8 from Olaf Hering
Bug reported upstream: https://dev.gnupg.org/T4473
We have to fix it either way for our own purpose. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1124847
http://bugzilla.suse.com/show_bug.cgi?id=1124847#c9
--- Comment #9 from Vítězslav Čížek
Bug reported upstream: https://dev.gnupg.org/T4473
Upstream resolution: Closed, Wontfix "Since 2.1 the standard use of gpg-agent is to have it started on demand by the components which require it. The use of "gpg-agent --daemon /bin/sh " should be used for debugging only." -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1124847
http://bugzilla.suse.com/show_bug.cgi?id=1124847#c11
Pedro Monreal Gonzalez
http://bugzilla.suse.com/show_bug.cgi?id=1124847
http://bugzilla.suse.com/show_bug.cgi?id=1124847#c12
--- Comment #12 from Dr. Werner Fink
Adding Werner in CC: @Werner, could the solution in comment#10 be applied on xdm side?
For SLE-12, we can safely apply the patch suggested by Olaf.
IMHO both can be done ... gpg-agent should never ever modify (u)limits as this is not its mission. For xdm simply change in /etc/X11/xdm/scripts/10-gpg-agent the line : ${usegpg:=yes} to : ${usegpg:=no} then it is on the system administrator to change this maybe by export usegpg=yes -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1124847
http://bugzilla.suse.com/show_bug.cgi?id=1124847#c13
--- Comment #13 from Pedro Monreal Gonzalez
http://bugzilla.suse.com/show_bug.cgi?id=1124847
http://bugzilla.suse.com/show_bug.cgi?id=1124847#c16
Tomáš Chvátal
http://bugzilla.suse.com/show_bug.cgi?id=1124847
http://bugzilla.suse.com/show_bug.cgi?id=1124847#c17
--- Comment #17 from Pedro Monreal Gonzalez
And what's about fixing gpg its self?
The bug in the gpg2 side is fixed by applying the patch. Another question is, and maybe it should go into a different bug, if we want to modify the X11 scripts (since gpg2 version 2.1, i.e. from SLE-15) so that the gpg-agent is not started by the scripts but only when required. I would be in favor of doing this. I have tested the modification from comment#12 in TW and SLE-15-SP1, for gnome desktop, gdm and xdm only and it all works fine there. Not sure if I should test this for all desktops since it would be similar. But you are right, all display managers and desktops should be tested. Just to have an idea of the amount of work required, could you please let me know what scripts should be modified and which combinations of display managers and desktops should be tested? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1124847
Pedro Monreal Gonzalez
http://bugzilla.suse.com/show_bug.cgi?id=1124847
http://bugzilla.suse.com/show_bug.cgi?id=1124847#c19
--- Comment #19 from Olaf Hering
http://bugzilla.suse.com/show_bug.cgi?id=1124847
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1124847
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1124847
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1124847
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1124847
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1124847
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1124847
http://bugzilla.suse.com/show_bug.cgi?id=1124847#c24
--- Comment #24 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1124847
http://bugzilla.suse.com/show_bug.cgi?id=1124847#c25
--- Comment #25 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1124847
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1124847
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1124847
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1124847
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1124847
http://bugzilla.suse.com/show_bug.cgi?id=1124847#c28
--- Comment #28 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1124847
Pedro Monreal Gonzalez
participants (1)
-
bugzilla_noreply@novell.com