On Tue 2016-09-06 23:50:31 +0200, Ramakrishnan Muthukrishnan wrote: > [dkg wrote:] >> chgrp $(getent passwd keyring-user | cut -f4 -d:) $(tty) > > Hmm. That command errored out with a "permission denied". But the second > one succeeded.
sigh, sorry about that, i've been asking you to test things that i
really should have tried myself. it appears that the devpts filesystem
is much more limited than i expected it to be :/
>> chmod g+rw $(tty)
>
> As 'root', I added the keyring-user into the group 'tty' and then the
> signing worked just fine.
hm, i'm not sure that's particularly safe. it implies that keyring-user
is able to write to any of the ttys on the system :/
maybe the right approach is to do something like hand over the tty as an
file descriptor? that'd require quite a bit more plumbing upstream :/
> I didn't know about exporting the extra socket. Still reading up on the
> gpg2 and associated programs.
>
> I think it is perfectly fine with the setup where I can switch to
> virtual terminal and log into the acccount.
ok, i'm glad that setup works for you :) Please report back if you find
a good configuration that lets you use gpg-agent in this isolated mode.
I'll be at the OpenPGP.conf later this week and will try to brainstorm
with folks there about the right way to provide this sort of isolated
service effectively.
Regards,
--dkg
signature.asc
Description: PGP signature
