summaryrefslogtreecommitdiff
path: root/website/bugs/problems-with-root-owned-gpg-keyrings.mdwn
blob: 65268c58491b006d19ebec35f6af2ae183b5ae02 (plain)

[[meta title="Problems with root-owned gpg keyrings"]]

/var/lib/monkeysphere/gnupg-host/ is root-owned, and the public keyring in that directory is controlled by the superuser.

We currently expect the monkeysphere user to read from (but not write to) that keyring. But using a keyring in a directory that you don't control appears to trigger a subtle bug in gpg that has been unresolved for quite a long time.

With some of the new error checking i'm doing in monkeysphere-server, typical operations that involve both keyrings as the non-privileged user can fail with an error message like:

gpg: failed to rebuild keyring cache: file open error

Running the relevant operation a second time as the same user usually lets things go through without a failure, but this seems like it would be hiding a bug, rather than getting it fixed correctly.

Are there other ways we can deal with this problem?

--dkg