WARNING: unsafe permissions on homedir

English Applications
#1

Could someone pls explain why GPG is unhappy with my home directory? This latest warning arose when i was importing the Firejail Dev’s public key [from https://firejail.wordpress.com/download-2/] to my KGpg, but in recent weeks i’ve seen the same warning with other keys too.


gpg: WARNING: unsafe permissions on homedir '/home/gooeygirl/.gnupg'
gpg (GnuPG) 2.2.0; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa2048/2CCB36ADFC5849A7
     created: 2014-11-05  expires: never       usage: SC   
     trust: marginal      validity: full
sub  rsa2048/32DEBCA46813A09D
     created: 2014-11-05  expires: never       usage: E    
  full  ] (1). netblue (firejail key) <netblue30@yahoo.com>

Via Dolphin:
These are my* /home/gooeygirl/.gnupg* permissions: rwx-r-x-r-x.
These are my* /home/gooeygirl/* permissions: rwx-r-x-r-x.

Via Konsole:


gooeygirl@linux-Tower:~> cd .gnupg                                                                                       
gooeygirl@linux-Tower:~/.gnupg> ls -l                                                                                    
total 7608                                                                                                             
drwxr-xr-x 2 gooeygirl users      21 Sep  7 11:05 crls.d
-rwxr-xr-x 1 gooeygirl users     101 Jan  7  2016 gpa.conf
-rw-r--r-- 1 gooeygirl users      42 Aug 23 00:55 gpg-agent.conf
-rwxr-xr-x 1 gooeygirl users      50 May 31  2015 gpg-agent-info-gooeygirl-Lappy
-rwxr-xr-x 1 gooeygirl users      50 Aug 31  2015 gpg-agent-info-gooeygirl-Tower
-rwxr-xr-x 1 gooeygirl users    9423 Dec 24  2016 gpg.conf
drwx------ 2 gooeygirl users     214 Sep 27  2016 private-keys-v1.d
-rwxr-xr-x 1 gooeygirl users 3818964 Sep 12 15:55 pubring.gpg
-rwxr-xr-x 1 gooeygirl users 3818964 Sep 12 15:55 pubring.gpg~
-rwxr-xr-x 1 gooeygirl users   36004 Jan 11  2016 pubring.kbx
-rwxr-xr-x 1 gooeygirl users     600 Sep 12 15:56 random_seed
-rwxr-xr-x 1 gooeygirl users    8393 Jan  8  2016 secring.gpg
-rw-r--r-- 1 gooeygirl users      43 Jul 23 05:03 S.gpg-agent
srwxr-xr-x 1 gooeygirl users       0 Sep 10 16:05 S.uiserver
-rw-r--r-- 1 gooeygirl users   49152 Sep  7 12:12 tofu.db
-rwxr-xr-x 1 gooeygirl users    5680 Sep 12 15:55 trustdb.gpg
-rwxr-xr-x 1 gooeygirl users    1364 May  9 17:07 trustlist.txt
gooeygirl@linux-Tower:~/.gnupg>

My guess is it’s not happy about the Group & Others permissions…? Should it instead be, maybe, drwx------ ?

#2

Yes, they do look a little permissive. Quoting from the Archwiki reference…

Configuration files The default configuration files are ~/.gnupg/gpg.conf and ~/.gnupg/dirmngr.conf.
By default, the gnupg directory has its permissions set to 700 and the files it contains have their permissions set to 600. Only the owner of the directory has permission to read, write, and access the files. This is for security purposes and should not be changed. In case this directory or any file inside it does not follow this security measure, you will get warnings about unsafe file and home directory permissions.

#3

Sorry, forgot the link…

https://wiki.archlinux.org/index.php/GnuPG#Configuration_files

#4

Many thanks deano.

I’ve now made some changes, after which:


gooeygirl@linux-Tower:~> **ls -l -d /home/gooeygirl/.gnupg**
drwx------ 5 gooeygirl users 4096 Sep 12 18:58 /home/gooeygirl/.gnupg
gooeygirl@linux-Tower:~> 


gooeygirl@linux-Tower:~> **ls -l /home/gooeygirl/.gnupg**
total 7608
drwx------ 2 gooeygirl users      21 Sep  7 11:05 crls.d
-rwx------ 1 gooeygirl users     101 Jan  7  2016 gpa.conf
-rw------- 1 gooeygirl users      42 Aug 23 00:55 gpg-agent.conf
-rwx------ 1 gooeygirl users      50 May 31  2015 gpg-agent-info-gooeygirl-XPS-L501X
-rwx------ 1 gooeygirl users      50 Aug 31  2015 gpg-agent-info-gooeygirl-Z97-HD3
-rwx------ 1 gooeygirl users    9423 Dec 24  2016 gpg.conf
drwx------ 2 gooeygirl users     214 Sep 27  2016 private-keys-v1.d
-rwx------ 1 gooeygirl users 3818964 Sep 12 15:55 pubring.gpg
-rwx------ 1 gooeygirl users 3818964 Sep 12 15:55 pubring.gpg~
-rwx------ 1 gooeygirl users   36004 Jan 11  2016 pubring.kbx
-rwx------ 1 gooeygirl users     600 Sep 12 15:56 random_seed
-rwx------ 1 gooeygirl users    8393 Jan  8  2016 secring.gpg
-rw------- 1 gooeygirl users      43 Jul 23 05:03 S.gpg-agent                                                                                                      
srwx------ 1 gooeygirl users       0 Sep 12 18:05 S.uiserver                                                                                                       
-rw------- 1 gooeygirl users   49152 Sep  7 12:12 tofu.db                                                                                                          
-rwx------ 1 gooeygirl users    5680 Sep 12 15:55 trustdb.gpg                                                                                                      
-rwx------ 1 gooeygirl users    1364 May  9 17:07 trustlist.txt                                                                                                    
gooeygirl@linux-Tower:~>

…& now that warning message no longer appears.

Nice one deano.

#5

Well done. (The executable bit is not needed either, but really not a security risk in this context.)