I don't want to just chmod and run until I get the right answer, nor do I want to run GnuPG as root. The easy fix would be to just set it so that only my user can read it, but I don't think that's the best way.
I get the following error when I attempt to use gpg:
gpg: WARNING: unsafe enclosing directory permissions on configuration file `/home/nb/.gnupg/gpg.conf'
gpg: external program calls are disabled due to unsafe options file permissions
gpg: keyserver communications error: general error
gpg: keyserver receive failed: general error
GnuPG's ~/.gnupg/
current status:
% stat .gnupg
File: ‘.gnupg’
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 1bh/27d Inode: 20578751 Links: 3
Access: (0775/drwxrwxr-x) Uid: ( 1000/ nb) Gid: ( 1000/ XXXX)
Access: 2015-08-09 18:14:45.937760752 -0700
Modify: 2015-08-05 20:54:32.860883569 -0700
Change: 2015-08-05 20:54:32.860883569 -0700
Birth: -
The answer at the following link advises 600 permissions for the ~/gnupg/gpg.conf
file, but does the enclosing folder require those permissions, too?
Best Answer
Yes, you will also need to fix the permissions of the enclosing directory
~/.gnupg
Because an attacker with enough rights on the folder could manipulate folder contents.
Execute the following commands:
Make sure, the folder+contents belong to you:
chown -R $(whoami) ~/.gnupg/
Correct access rights for
.gnupg
and subfolders:find ~/.gnupg -type f -exec chmod 600 {} \;
find ~/.gnupg -type d -exec chmod 700 {} \;
Explanation for
600
,700
:Lets start from the back: '00' mean NO rights AT ALL for everybody who is not the owner of the files/directories.
That means, that the process reading these (gnupg) must run as the owner of these files/directories.
~/.gnupg/
is a folder, the process reading the contents must be able to "enter" (=execute) this folder. This is the "x" Bit. It has the value "1".7 - 6 = 1
Both
~/.gnupg/
and~/.gnupg/*
you want to be able to read and write, thats4 + 2 = 6
.==> Only the owner of the files can read/write them now (=600). Only he can enter into the directory as well (=700)
==> These file rights don't "need" to be documented, they are derivable from the intended usage.
More info about permission notation: https://en.wikipedia.org/wiki/File_system_permissions#Notation_of_traditional_Unix_permissions