| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using systemctl restart or systemctl stop on any of the GnuPG
services, the sockets were closed and removed.
However we are using socket activation, so a simple restart of for
example the agent would cause the socket to be closed and removed and
afterwards the gpg-agent service is unable to pick up the socket again,
thus failing to start.
This in turn has led to GnuPG starting the agent by its own, entirely
bypassing socket activation and our shiny service module.
In order to cope with this, we need to provide LD_PRELOAD wrappers also
for remove() and close(), so that we can prevent GnuPG from closing the
systemd file descriptors.
I've also added a small subtest to ensure this won't happen again in the
future.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since GnuPG version 2.1.13 (NixOS/nixpkgs@b586b00), there is support for
XDG_RUNTIME_DIR so the sockets are in /run/user/gnupg instead of
~/.gnupg.
The full announcement can be found here:
https://lists.gnupg.org/pipermail/gnupg-announce/2016q2/000390.html
Unfortunately the fix is a bit more complicated, because if GNUPGHOME is
set to a non-default location, the sockets are to be found within the
directory specified in $GNUPGHOME instead.
So we also need to check the version of GnuPG so that we can properly
split up the socket directory from the GNUPGHOME.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
|
|
|
|
|
| |
Add simple fasd integration for fish.
A command `z` directly jumps to the most “frecent” folder fitting its
argument.
|
|
|
|
|
|
|
|
| |
It doesn't make sense to pollute the system with additional environment
variables if we're using the defaults anyway, so only set it if it's not
"~/.gnupg".
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
|
|
|
|
|
|
|
|
| |
We do things such as placing gnupg into environment.systemPackages, so
calling this just "programs.gpg-agent" doesn't fit that. Especially if
we really want to have a way to specify configuration values in case I'm
getting masochistic someday ;-)
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Latest <nixpkgs> (NixOS/nixpkgs@e899ffc as of my latest pull) causes our
preloader to load fork() from libpthread instead of using the overridden
one from the preload wrapper (without store paths to be easier to read):
binding file gpg-agent [0] to libpthread.so.0 [0]:
normal symbol `fork' [GLIBC_2.2.5]
However, at the time I've committed 8db1803, I was testing it on an
older version (NixOS/nixpkgs@81af597) and it was bound correctly:
binding file gpg-agent [0] to gpg-agent-wrapper [0]:
normal symbol `fork' [GLIBC_2.2.5]
Now after bisecting this against the latest <nixpkgs> master, it
revealed that one of the following commits could be the problem:
* NixOS/nixpkgs@559ecc9: stdenv-linux: Avoid building m4/bison twice
* NixOS/nixpkgs@817145e: binutils: 2.23.1 -> 2.26
* NixOS/nixpkgs@2040a9a: stdenv-linux: Ensure binutils comes before
bootstrapTools in $PATH
So my guess was that the binutils update changed that behaviour somehow,
so I checked against 2.23.1 (reverted NixOS/nixpkgs@817145e) and 2.25
and it worked correctly.
I didn't bisect this against the binutils source tree, but what happens
is that because we depend on libsystemd in our wrapper, libsystemd (and
thus libpthread) is loaded first and thus we can't override things
anymore which get pulled in by RTLD while loading libsystemd.
The reason why I now went with dlopen() is that even if the behaviour is
back to that of binutils 2.25, we want to make sure that even if
something in ld.so should change which affect this as well we're still
not tripping into the same problem again.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
First of all, let's inline the first_fork variable, because we don't
want this variable to be exposed as a symbol, even though it doesn't
hurt (except maybe for a very very very tiny improvement in RTLD lookup
performance).
And apart from the first_fork variable, there were a few other symbols
we don't want to propagate to the RTLD chain as well:
0000000000001465 T accept
000000000000130b T bind
000000000000153e T execv
0000000000001610 T _fini
00000000000013b8 T fork
0000000000000fe0 T get_sd_fd_for
0000000000001420 T get_socket_pid
0000000000000d80 T _init
00000000000012fa T listen
00000000000012b8 T record_sockfd
So in the end we're down to:
00000000000011fb T accept
00000000000010a1 T bind
00000000000012c8 T execv
0000000000001390 T _fini
000000000000114e T fork
0000000000000b68 T _init
0000000000001090 T listen
... which is a lot more clean and even though our staff doesn't collide
with existing libraries in the chain it's better to be safe than sorry.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
|
|
|
|
|
|
|
| |
I've used this to test compilation of the agent wrapper at an early
state of development and I've accidentally committed this along with
8db1803b5d9865b2355fabdb6bb974d879ce57cc.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|
|
Since NixOS/nixpkgs@5391882 there no longer is the option to start the
agent during X session startup, which prompted me to write this module.
I was unhappy how GnuPG is handled in NixOS since a long time and wanted
to OCD all the configuration files directly into the module.
Unfortunately, this is something I eventually gave up because GnuPG's
design makes it very hard to preseed configuration. My first attempt was
to provide default configuration files in /etc/gnupg, but that wasn't
properly picked up by GnuPG.
Another way would have been to change the default configuration files,
but that would have the downside that we could only override those
configurations using command line options for each individual GnuPG
component.
The approach I tried to go for was to patch GnuPG so that all the
defaults are directly set in the source code using a giant sed
expression. It turned out that this approach doesn't work very well,
because every component has implemented its own ways how to handle
commandline arguments versus (default) configuration files.
In the end I gave up trying to OCD anything related to GnuPG
configuration and concentrated just on the agent.
And that's another beast, which unfortunately doesn't work very well
with systemd.
While searching the net for existing patches I stumbled upon one done by
@shlevy:
https://lists.gnupg.org/pipermail/gnupg-devel/2014-November/029092.html
Unfortunately, the upstream author seems to be quite anti-systemd and
didn't want to accept that into the upstream project.
Because of this I went for using LD_PRELOAD to pick up the file
descriptors provided by the systemd sockets, because in the end I don't
want to constantly catch up with upstream and rebase the patch on every
new release.
Apart from just wrapping the agent to be socket activated, we also wrap
the pinentry program, so that we can inject a _CLIENT_PID environment
variable from the LD_PRELOAD wrapper that is picked up by the pinentry
wrapper to determine the TTY and/or display of the client communicating
with the agent.
The wrapper uses the proc filesystem to get all the relevant information
and passes it to the real pinentry.
The advantage of this is that we don't need to do things such as
"gpg-connect-agent updatestartuptty /bye" or any other workarounds and
even if we connect via SSH the agent should be able to correctly pick up
the TTY and/or display.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
|