On Thu, Mar 24, 2011 at 9:49 PM, Allan McRae <allan@archlinux.org> wrote:
On 25/03/11 11:32, Dan McGee wrote:
On Thu, Mar 24, 2011 at 8:00 PM, Denis A. Altoé Falqueto <denisfalqueto@gmail.com> wrote:
On Thu, Mar 24, 2011 at 8:05 PM, Ray Kohler<ataraxia937@gmail.com> wrote:
Signed-off-by: Ray Kohler<ataraxia937@gmail.com> --- scripts/pacman-key.sh.in | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 5746e64..ccc7f92 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -246,6 +246,12 @@ if [[ GPGDIR=$(find_config "GPGDir") == 0 ]]; then fi GPG_PACMAN="gpg --homedir ${PACMAN_KEYRING_DIR}"
+# Try to create $PACMAN_KEYRING_DIR if non-existent +# Check for simple existence rather than for a directory as someone may want +# to use a symlink here +# Force mode 700 as gpg complains if any group or other access is present +[[ -e ${PACMAN_KEYRING_DIR} ]] || mkdir -p -m 700 "${PACMAN_KEYRING_DIR}"
Why 700? Any reason a normal user should not be able to read this and validate a package on a non-root operation? e.g. pacman -Qlp<package> should run our GPG machinery eventually if a .sig is sitting alongside.
gpg makes warnings about anything else. These warnings can be suppressed with command-line gpg usage, so I guess they can be suppressed in gpgme.
I agree, that would be nicer than locking non-root users out - but I don't know how it's done.