[Bug 1124847] New: presence of gpg key disables ulimit and coredump in X11 session

newer
[Bug 1151453] [Build 20190919]...

older
[Bug 1156047] [Build 20191104]...

bugzilla_noreply＠novell.com

8 Feb 2019 8 Feb '19

20:59

http://bugzilla.suse.com/show_bug.cgi?id=1124847 Bug ID: 1124847 Summary: presence of gpg key disables ulimit and coredump in X11 session Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: ohering@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Fresh 15.0 in a VM, with XFCE desktop. I have not tried other desktops. After first boot, run xterm and ulimit -a: core is unlimited. Create some ssh key, reboot. After second boot, run xterm and ulimit -a: core is unlimited. Create some gpg key with 'gpg --quick-genkey string', reboot. After third boot, run xterm and ulimit -a: core is ... zero. Because "ulimit -c" is zero (via gpg-agent), no crashes are recorded as core files and the info about a crash is lost. What I found so far via debug kernel: lightdm calls bash, which does 'exec ssh-agent', which does 'exec gpg-agent', which disables ulimit -c, then does 'exec xinitrc'. xfce4-session starts with disabled core, and all apps it launches inherit that setting. -- You are receiving this mail because: You are on the CC list for the bug.

Attachments:

attachment.htm (text/html — 2.9 KB)

Show replies by date

bugzilla_noreply＠novell.com

8 Feb 8 Feb

22:11

New subject: [Bug 1124847] presence of gpg key disables ulimit and coredump in X11 session

http://bugzilla.suse.com/show_bug.cgi?id=1124847 http://bugzilla.suse.com/show_bug.cgi?id=1124847#c1 --- Comment #1 from Olaf Hering --- Different VM, same bug with KDE. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11 Feb 11 Feb

02:37

New subject: [Bug 1124847] presence of gpg key disables ulimit and coredump in X11 session

http://bugzilla.suse.com/show_bug.cgi?id=1124847 Jiachen Zhang changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bnc-team-screening@forge.pr |vcizek@suse.com |ovo.novell.com | -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

08:29

New subject: [Bug 1124847] presence of gpg key disables ulimit and coredump in X11 session

http://bugzilla.suse.com/show_bug.cgi?id=1124847 http://bugzilla.suse.com/show_bug.cgi?id=1124847#c3 Vítězslav Čížek changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vcizek@suse.com Assignee|vcizek@suse.com |pmonrealgonzalez@suse.com --- Comment #3 from Vítězslav Čížek --- Seems caused by gpg, reassigning to Pedro. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

08:41

New subject: [Bug 1124847] presence of gpg key disables ulimit and coredump in X11 session

http://bugzilla.suse.com/show_bug.cgi?id=1124847 http://bugzilla.suse.com/show_bug.cgi?id=1124847#c4 --- Comment #4 from Olaf Hering --- (In reply to Neil Rickert from comment #2)

...

I can confirm this.

Wayland does not use the X11 init scripts, so it is likely unaffected. The bug in gpg-agent is present since a decade. There is a code path that does exec(). This path must not fiddle with ulimit. There is another code path that does fork(). This path is free to tweak ulimit for the livetime of this process. There is another code path that checks if gpg-agent is running. This path most likely does not need to care about ulimit. I suggest to move disable_core_dumps() into the child. Up to this point no security relevant things happend AFAICS. Fix neededed for SLE12 and inherited codebases. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

25 Feb 25 Feb

22:44

New subject: [Bug 1124847] presence of gpg key disables ulimit and coredump in X11 session

http://bugzilla.suse.com/show_bug.cgi?id=1124847 http://bugzilla.suse.com/show_bug.cgi?id=1124847#c5 --- Comment #5 from Pedro Monreal Gonzalez --- Olaf, thanks for the patch. I'll ask upstream if this could have security implications like ptrace a child process, see for example https://dev.gnupg.org/T1509. IIRC, this is not possible now. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

29 Apr 29 Apr

15:23

New subject: [Bug 1124847] presence of gpg key disables ulimit and coredump in X11 session

http://bugzilla.suse.com/show_bug.cgi?id=1124847 http://bugzilla.suse.com/show_bug.cgi?id=1124847#c6 Pedro Monreal Gonzalez changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pmonrealgonzalez@suse.com --- Comment #6 from Pedro Monreal Gonzalez --- Created attachment 803837 --> http://bugzilla.suse.com/attachment.cgi?id=803837&action=edit Patch to move disable_core_dumps() to the child process -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

15:29

New subject: [Bug 1124847] presence of gpg key disables ulimit and coredump in X11 session

http://bugzilla.suse.com/show_bug.cgi?id=1124847 http://bugzilla.suse.com/show_bug.cgi?id=1124847#c7 --- Comment #7 from Pedro Monreal Gonzalez --- Bug reported upstream: https://dev.gnupg.org/T4473 -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

6 May 6 May

14:33

New subject: [Bug 1124847] presence of gpg key disables ulimit and coredump in X11 session

http://bugzilla.suse.com/show_bug.cgi?id=1124847 http://bugzilla.suse.com/show_bug.cgi?id=1124847#c8 --- Comment #8 from Olaf Hering --- (In reply to Pedro Monreal Gonzalez from comment #7)

...

Bug reported upstream: https://dev.gnupg.org/T4473

We have to fix it either way for our own purpose. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

14:58

New subject: [Bug 1124847] presence of gpg key disables ulimit and coredump in X11 session

http://bugzilla.suse.com/show_bug.cgi?id=1124847 http://bugzilla.suse.com/show_bug.cgi?id=1124847#c9 --- Comment #9 from Vítězslav Čížek --- (In reply to Pedro Monreal Gonzalez from comment #7)

...

Bug reported upstream: https://dev.gnupg.org/T4473

Upstream resolution: Closed, Wontfix "Since 2.1 the standard use of gpg-agent is to have it started on demand by the components which require it. The use of "gpg-agent --daemon /bin/sh " should be used for debugging only." -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

7 May 7 May

09:31

New subject: [Bug 1124847] presence of gpg key disables ulimit and coredump in X11 session

http://bugzilla.suse.com/show_bug.cgi?id=1124847 http://bugzilla.suse.com/show_bug.cgi?id=1124847#c11 Pedro Monreal Gonzalez changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |werner@suse.com --- Comment #11 from Pedro Monreal Gonzalez --- Adding Werner in CC: @Werner, could the solution in comment#10 be applied on xdm side? For SLE-12, we can safely apply the patch suggested by Olaf. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

09:47

New subject: [Bug 1124847] presence of gpg key disables ulimit and coredump in X11 session

http://bugzilla.suse.com/show_bug.cgi?id=1124847 http://bugzilla.suse.com/show_bug.cgi?id=1124847#c12 --- Comment #12 from Dr. Werner Fink --- (In reply to Pedro Monreal Gonzalez from comment #11)

...

Adding Werner in CC: @Werner, could the solution in comment#10 be applied on xdm side?

For SLE-12, we can safely apply the patch suggested by Olaf.

IMHO both can be done ... gpg-agent should never ever modify (u)limits as this is not its mission. For xdm simply change in /etc/X11/xdm/scripts/10-gpg-agent the line : ${usegpg:=yes} to : ${usegpg:=no} then it is on the system administrator to change this maybe by export usegpg=yes -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11 Jul 11 Jul

10:04

New subject: [Bug 1124847] presence of gpg key disables ulimit and coredump in X11 session

http://bugzilla.suse.com/show_bug.cgi?id=1124847 http://bugzilla.suse.com/show_bug.cgi?id=1124847#c13 --- Comment #13 from Pedro Monreal Gonzalez --- @Werner, could you add the modification from comment#12 in xdm so the gpg-agent would be started on demand. This should be done in SLE-15, SLE-15-SP1 and Factory. I've tested this in Factory and everything works fine with this change. I'll add the patch in the rest of the codestreams. -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11:39

New subject: [Bug 1124847] presence of gpg key disables ulimit and coredump in X11 session

http://bugzilla.suse.com/show_bug.cgi?id=1124847 http://bugzilla.suse.com/show_bug.cgi?id=1124847#c16 Tomáš Chvátal changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Resolution|--- |WONTFIX --- Comment #16 from Tomáš Chvátal --- This is automated batch bugzilla cleanup. The openSUSE 42.3 changed to end-of-life (EOL [1]) status. As such it is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of openSUSE (At this moment openSUSE Leap 15.1, 15.0 and Tumbleweed) please feel free to reopen this bug against that version (!you must update the "Version" component in the bug fields, do not just reopen please), or alternatively create a new ticket. Thank you for reporting this bug and we are sorry it could not be fixed during the lifetime of the release. [1] https://en.opensuse.org/Lifetime -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11:52

New subject: [Bug 1124847] presence of gpg key disables ulimit and coredump in X11 session

http://bugzilla.suse.com/show_bug.cgi?id=1124847 http://bugzilla.suse.com/show_bug.cgi?id=1124847#c17 --- Comment #17 from Pedro Monreal Gonzalez --- (In reply to Dr. Werner Fink from comment #15)

...

And what's about fixing gpg its self?

The bug in the gpg2 side is fixed by applying the patch. Another question is, and maybe it should go into a different bug, if we want to modify the X11 scripts (since gpg2 version 2.1, i.e. from SLE-15) so that the gpg-agent is not started by the scripts but only when required. I would be in favor of doing this. I have tested the modification from comment#12 in TW and SLE-15-SP1, for gnome desktop, gdm and xdm only and it all works fine there. Not sure if I should test this for all desktops since it would be similar. But you are right, all display managers and desktops should be tested. Just to have an idea of the amount of work required, could you please let me know what scripts should be modified and which combinations of display managers and desktops should be tested? -- You are receiving this mail because: You are on the CC list for the bug.