Enigmail uses GCR without user confirmation

Bug #1325832 reported by Andreas Siegert
276
This bug affects 6 people
Affects Status Importance Assigned to Milestone
enigmail (Ubuntu)
Confirmed
Medium
Unassigned

Bug Description

After my Xubuntu update from 12.04 to 14.04 I suddenly needed to input my GPG passphrase only once per login session instead of the configured 20 minutes.

After some analysis it turns out that Enigmail used GCR for managing the PGP passphrase.

So why is Engimail doing this without any user intervention?
Why is this not documented?

Modifying the behavior of critical security tools under the hood without user confirmation is bad security practice.
Especially when the default of the the tools employed are very lax.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: enigmail 2:1.5.2-0ubuntu1
ProcVersionSignature: Ubuntu 3.13.0-27.50-generic 3.13.11
Uname: Linux 3.13.0-27-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.14.1-0ubuntu3.2
Architecture: amd64
CurrentDesktop: XFCE
Date: Tue Jun 3 08:57:28 2014
InstallationDate: Installed on 2014-04-24 (39 days ago)
InstallationMedia: Xubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140416.2)
SourcePackage: enigmail
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Andreas Siegert (afx) wrote :
information type: Private Security → Public Security
Revision history for this message
Andreas Siegert (afx) wrote :

Tried it on a freshly installed machine. Same results. Enigmail uses GCR without me ever telling it to....

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in enigmail (Ubuntu):
status: New → Confirmed
Revision history for this message
Alexander Buchner (alexander-buchner) wrote :

For me, I don't even get asked for the passphrase once per session. I can't remember last time I was asked for the passphrase.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Enigmail is using whatever gpg agent is listening to the socket defined by the GPG_AGENT_INFO environment variable, which by default on Ubuntu is gnome-keyring.

Revision history for this message
Andreas Siegert (afx) wrote :

Enigmail is configured to not use gpg-agent and I see no running gpg-agent.
Still that socket exists:

$ echo $GPG_AGENT_INFO
/run/user/1000/keyring-HtA7vw/gpg:0:1

Running lsof on that socket shows:

gnome-key 3617 afx 8u unix 0xffff88020cacb480 0t0 20605 /run/user/1000/keyring-HtA7vw/gpg
gnome-key 3617 3618 afx 8u unix 0xffff88020cacb480 0t0 20605 /run/user/1000/keyring-HtA7vw/gpg
timer 3617 4055 afx 8u unix 0xffff88020cacb480 0t0 20605 /run/user/1000/keyring-HtA7vw/gpg
dconf 3617 4056 afx 8u unix 0xffff88020cacb480 0t0 20605 /run/user/1000/keyring-HtA7vw/gpg
gdbus 3617 4057 afx 8u unix 0xffff88020cacb480 0t0 20605 /run/user/1000/keyring-HtA7vw/gpg
dispatch 3617 4435 afx 8u unix 0xffff88020cacb480 0t0 20605 /run/user/1000/keyring-HtA7vw/gpg
dispatch 3617 14721 afx 8u unix 0xffff88020cacb480 0t0 20605 /run/user/1000/keyring-HtA7vw/gpg

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

yes, that's what I said...in Ubuntu, it's not gpg-agent, it's gnome-keyring-daemon that is the GPG agent, which is PID 3617 in your list.

Revision history for this message
Andreas Siegert (afx) wrote :

But when I get prompted for the password I see gcr-prompter running, not some gnome prompter.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

gnome-keyring-daemon calls out to gcr-prompter to draw the dialog, but it's gnome-keyring-daemon that does the caching, etc.

Revision history for this message
Andreas Siegert (afx) wrote :

Ok, but why does Enigmail use it at all when configured to not use gpg-agent?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

All Enigmail does is look up the GPG_AGENT_INFO environment variable, and connects to the socket that is listed where. It has no idea what is on the other end of the socket.

In your case, it's gnome-keyring-daemon.

Revision history for this message
Andreas Siegert (afx) wrote :

As I mentioned several times already, Enigmail is not configured to use any form of agent. The appropriate tickmark is OFF.
So why the F... Hell does it use an agent?

And the other interesting question is of course, where does the agent (gnome-keyring-daemon) come from if I have never ever told the system to start any agent at all.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The "Use gpg-agent for passphrases" setting in Enigmail decides whether or not to launch _it's own_ gpg-agent if none is currently running.

If your GPG_AGENT_INFO environment variable exists, that setting is ignored, and Enigmail uses your session one.

As I've said before, by default in Ubuntu, we start gnome-keyring-daemon as a gpg agent.

Revision history for this message
Andreas Siegert (afx) wrote :

Well, the popup help says "Use gpg-agent (part of gnupg 2) for all passphrase"s.
So your definition does not fit what Enigmail documents.
And, it also does not fit what Enigmail did on 12.4, where it worked just as documented.

The current behavior is neither expected nor documented.

Nowhere does Engimail tell the user that it will force the use of an existing agent if the env variable exists.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I looked at the source to figure out what it did.

The Enigmail website documents it as follows (note: seahorse is the gnome-keyring GUI):

https://www.enigmail.net/documentation/advanced.php

---
Use gpg-agent for passphrase handling: GnuPG version 2.0.x is distributed with the GnuPG passphrase agent, a tool for caching passphrases. This is especially useful if several passphrases are used. Enabling this option makes Enigmail use the gpg-agent also for GnuPG version 1.4.x (requires the tools gpg-agent and pinentry to be installed!). Note that in some distrubutions, Seahorse is installed instead of gpg-agent. This may cause trouble when using OpenPGP SmartCards. If you use a smartcard for your key, then either use gpg-agent and enable this option or unset it AND make sure the environment variable GPG_AGENT_INFO is unset prior to starting Enigmail since GnuPG expects gpg-agent be running once it detects GPG_AGENT_INFO.

Do not activate this option, if you want Enigmail to ask you for your passphrase.
---

If you want Enigmail to change the documentation to make the current behaviour clearer, please file a bug on their website, and attach it to this bug:

https://www.enigmail.net/support/bugs.php

Thanks!

Revision history for this message
Alberto Salvia Novella (es20490446e) wrote :

It has a moderate impact on a core package.

Changed in enigmail (Ubuntu):
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.