What are the correct permissions for the .gnupg enclosing folder? gpg: WARNING: unsafe enclosing directory permissions on configuration file

27

10

I don't want to just chmod and run until I get the right answer, nor do I want to run GnuPG as root. The easy fix would be to just set it so that only my user can read it, but I don't think that's the best way.

I get the following error when I attempt to use gpg: 

gpg: WARNING: unsafe enclosing directory permissions on configuration file `/home/nb/.gnupg/gpg.conf'
gpg: external program calls are disabled due to unsafe options file permissions
gpg: keyserver communications error: general error
gpg: keyserver receive failed: general error

GnuPG's ~/.gnupg/ current status: 

% stat .gnupg 
  File: ‘.gnupg’
  Size: 4096        Blocks: 8          IO Block: 4096   directory
Device: 1bh/27d Inode: 20578751    Links: 3
Access: (0775/drwxrwxr-x)  Uid: ( 1000/      nb)   Gid: ( 1000/      XXXX)
Access: 2015-08-09 18:14:45.937760752 -0700
Modify: 2015-08-05 20:54:32.860883569 -0700
Change: 2015-08-05 20:54:32.860883569 -0700
 Birth: -

The answer at the following link advises 600 permissions for the ~/gnupg/gpg.conf file, but does the enclosing folder require those permissions, too?

https://askubuntu.com/questions/330755/unsafe-permissions-on-configuration-file-home-david-gnupg-gpg-conf-what-doe

Nathan Basanese

Posted 2015-08-10T01:30:40.877

Reputation: 658

Answers

54

Yes, you will also need to fix the permissions of the enclosing directory ~/.gnupg

Because an attacker with enough rights on the folder could manipulate folder contents.

Execute the following commands:

  1. Make sure, the folder+contents belong to you:
    chown -R $(whoami) ~/.gnupg/

  2. Correct access rights for .gnupg and subfolders:
    find ~/.gnupg -type f -exec chmod 600 {} \;
    find ~/.gnupg -type d -exec chmod 700 {} \;

Explanation for 600, 700:

Lets start from the back: '00' mean NO rights AT ALL for everybody who is not the owner of the files/directories.

That means, that the process reading these (gnupg) must run as the owner of these files/directories.

~/.gnupg/ is a folder, the process reading the contents must be able to "enter" (=execute) this folder. This is the "x" Bit. It has the value "1". 7 - 6 = 1

Both ~/.gnupg/ and ~/.gnupg/* you want to be able to read and write, thats 4 + 2 = 6.

==> Only the owner of the files can read/write them now (=600). Only he can enter into the directory as well (=700)

==> These file rights don't "need" to be documented, they are derivable from the intended usage.

More info about permission notation: https://en.wikipedia.org/wiki/File_system_permissions#Notation_of_traditional_Unix_permissions

Alex Stragies

Posted 2015-08-10T01:30:40.877

Reputation: 1 320

1// , Do you know if the makers of GnuPG document these specific permission levels? If they do document them, where could I find this? – Nathan Basanese – 2015-08-10T18:18:53.437

1They do! You posted the error message ;) – Alex Stragies – 2015-08-10T19:24:35.127

1// , Yeah, but the error message doesn't say what the permissions should be. Do they publish that anywhere? – Nathan Basanese – 2017-03-30T22:52:02.883

1// , Also, thanks for adding more of an explanation for those of us who aren't as familiar with the permission numbering scheme. – Nathan Basanese – 2017-03-30T22:54:19.157

6

GnuPG by default enforces secure access privileges, which means nobody else (but you) can access your GnuPG home directory ~/.gnupg. These access privileges often are not strict enough after copying the GnuPG home directory from another machine, and very often wrong ownership is the reason of such a message.

# Set ownership to your own user and primary group
chown -R "$USER:$(id -gn)" ~/.gnupg
# Set permissions to read, write, execute for only yourself, no others
chmod 700 ~/.gnupg
# Set permissions to read, write for only yourself, no others
chmod 600 ~/.gnupg/*

If you have (for any reason) created your own folders inside ~/.gnupg, you must also additionally apply execute permissions to that folder. Folders require execution privileges to be opened.

Jens Erat

Posted 2015-08-10T01:30:40.877

Reputation: 14 141

4

Although Jens Erat already mentioned it in his last sentence, I think it should be stressed that any folders inside ~/.gnupg must be executable (mode 700) as well. This holds especially for the private-keys* folder that is created by gpg itself. I was stuck with permission problems for a while before I noticed this.

tc88

Posted 2015-08-10T01:30:40.877

Reputation: 91

find ~/.gnupg -type d -exec chmod 700 {} ; – Craig Hicks – 2019-01-17T06:29:17.790

2

These two lines will set the permissions separately and correctly for directories and files:

find ~/.gnupg -type d -exec chmod 700 {} \;
find ~/.gnupg -type f -exec chmod 600 {} \;

assuming ownership is already set correctly.

Note it does not change permissions on the sockets S.gpg-agent*. (Only the new gpg v2 involves sockets, the old gpg v1 doesn't).

Craig Hicks

Posted 2015-08-10T01:30:40.877

Reputation: 181

1Looks like an answer borne of experience. – Nathan Basanese – 2019-01-25T09:22:03.810

Asked: 2015-08-10T01:30:40.877

Viewed: 19 997 times

Active: 2019-01-23T14:31:58.307