Linux – What are the correct permissions for the .gnupg enclosing folder? gpg: WARNING: unsafe enclosing directory permissions on configuration file

encryptiongnupglinuxpermissions

I don't want to just chmod and run until I get the right answer, nor do I want to run GnuPG as root. The easy fix would be to just set it so that only my user can read it, but I don't think that's the best way.

I get the following error when I attempt to use gpg:

gpg: WARNING: unsafe enclosing directory permissions on configuration file `/home/nb/.gnupg/gpg.conf'
gpg: external program calls are disabled due to unsafe options file permissions
gpg: keyserver communications error: general error
gpg: keyserver receive failed: general error

GnuPG's ~/.gnupg/ current status:

% stat .gnupg 
  File: ‘.gnupg’
  Size: 4096        Blocks: 8          IO Block: 4096   directory
Device: 1bh/27d Inode: 20578751    Links: 3
Access: (0775/drwxrwxr-x)  Uid: ( 1000/      nb)   Gid: ( 1000/      XXXX)
Access: 2015-08-09 18:14:45.937760752 -0700
Modify: 2015-08-05 20:54:32.860883569 -0700
Change: 2015-08-05 20:54:32.860883569 -0700
 Birth: -

The answer at the following link advises 600 permissions for the ~/gnupg/gpg.conf file, but does the enclosing folder require those permissions, too?

https://askubuntu.com/questions/330755/unsafe-permissions-on-configuration-file-home-david-gnupg-gpg-conf-what-doe

Best Answer

Yes, you will also need to fix the permissions of the enclosing directory ~/.gnupg

Because an attacker with enough rights on the folder could manipulate folder contents.

Execute the following commands:

Make sure, the folder+contents belong to you:
chown -R $(whoami) ~/.gnupg/
Correct access rights for .gnupg and subfolders:
find ~/.gnupg -type f -exec chmod 600 {} \;
find ~/.gnupg -type d -exec chmod 700 {} \;

Explanation for 600, 700:

Lets start from the back: '00' mean NO rights AT ALL for everybody who is not the owner of the files/directories.

That means, that the process reading these (gnupg) must run as the owner of these files/directories.

~/.gnupg/ is a folder, the process reading the contents must be able to "enter" (=execute) this folder. This is the "x" Bit. It has the value "1". 7 - 6 = 1

Both ~/.gnupg/ and ~/.gnupg/* you want to be able to read and write, thats 4 + 2 = 6.

==> Only the owner of the files can read/write them now (=600). Only he can enter into the directory as well (=700)

==> These file rights don't "need" to be documented, they are derivable from the intended usage.

More info about permission notation: https://en.wikipedia.org/wiki/File_system_permissions#Notation_of_traditional_Unix_permissions

Related Solutions

What are the risks of using GnuPG 1.4.9 with the insecure memory message

The version of GnuPG included is 1.4.9 but it appears that there’s also a version 2.1 available. Are there any security risks to using 1.4.9 instead of 2.1?

It's always a good idea to use the latest version, especially with security-critical SW such as encryption. However, GnuPG 1.x and 2.x are being maintained in parallel, and the latest version from the 1.x series is 1.4.11, so you are not that far out of date. The changelogs for 1.4.10 and 1.4.11 do not mention any security fixes, so you are probably OK.

Secondly when I run GnuPG I get an insecure memory message, is this something to be worried about? My understanding is that this is only an issue if I’m worried about losing physical access to the machine and don’t want info written to the swap file that may allow someone to decrypt my files or if I’m on a multi user system where someone else could read memory pages associated with my GnuPG process.

Yes, precisely. If you are the only person using your computer, and if you are not worried about an attacker with physical access to your hardware, you can ignore the warning. You can disable it, see the GnuPG FAQ.

Linux cp Permission denied on ntfs file system

It seems to me that permissions are not correctly set.

you are user g and can read a file = OK
but you can't create a file in a destination because the directory media is not writeable by you, only root can do that

So either copy as root or change the permissions on target so that you have a write permission on media directory.

As pointed out it's not possible to change permissions nor ownership on mounted NTFS filesystem. In that case there is a possibility to use proper mount options. Bellow excerpt from man mount

uid=value, gid=value and umask=value

Set the file permission on the filesystem. The umask value is given in octal. By default, the files are owned by root and not readable by somebody else.

Example: (for /dev/sdc1 with FAT32 filesystem)

Check that the device is not mounted (following should return without output)

$ mount | grep sdc1

Mount the device with uid and gid option set

$ sudo mount /dev/sdc1 -o uid=1000,gid=1000 /mnt

Verify the mountpoint

$ mount | grep sdc1

/dev/sdc1 on /mnt type vfat (rw,relatime,uid=1000,gid=1000,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)

Best Answer

Related Solutions

What are the risks of using GnuPG 1.4.9 with the insecure memory message

Linux cp Permission denied on ntfs file system

Related Question