Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable silencing of "gpg: WARNING: unsafe permissions on homedir" warning (--no-permission-warning) #999

Open
paslandau opened this issue May 18, 2023 · 1 comment
Open

Enable silencing of "gpg: WARNING: unsafe permissions on homedir" warning (--no-permission-warning) #999

paslandau opened this issue May 18, 2023 · 1 comment

Comments

@paslandau
Copy link

paslandau commented May 18, 2023
edited
Loading

What are the steps to reproduce this issue?

  1. initialize git secret
  2. share the .gitsecret/keys folder via bind-mount with docker on Windows via Docker Desktop (Docker Desktop sets permissions to read/write/execute for users, groups and others 0777 - this can not be changed)
  3. run git secret hide
  4. observe error message gpg: WARNING: unsafe permissions on homedir

Run the following script on Windows using Docker Desktop

docker build -t my-git-secret-img -<<'EOF'
FROM alpine:3.17

ADD https://gitsecret.jfrog.io/artifactory/api/security/keypair/public/repositories/git-secret-apk /etc/apk/keys/git-secret-apk.rsa.pub
RUN echo "https://gitsecret.jfrog.io/artifactory/git-secret-apk/latest-stable/main" >> /etc/apk/repositories  && \
    apk add --update --no-cache \
        bash \
        git \
        git-secret=0.5.0 \
        gnupg

RUN echo "Key-Type: 1" > create && \
    echo "Key-Length: 2048" >> create && \
    echo "Subkey-Type: 1" >> create && \
    echo "Subkey-Length: 2048" >> create && \
    echo "Name-Real: Foo Bar" >> create && \
    echo "Name-Email: [email protected]" >> create && \
    echo "Expire-Date: 0" >> create && \
    echo "%no-protection" >> create && \
    cat create | gpg --batch --gen-key && \
    gpg --list-keys && \
    gpg --output /root/gpg.key --armor --export-secret-key [email protected]
    
RUN echo "#!/usr/bin/env bash" >> /entrypoint.bash && \
    echo "set -e" >> /entrypoint.bash && \
    echo "gpg --quiet --import --batch --yes --pinentry-mode loopback /root/gpg.key" >> /entrypoint.bash && \
    echo "exec \"\$@\"" >> /entrypoint.bash && \
    chmod +x /entrypoint.bash

ENTRYPOINT ["/entrypoint.bash", "git", "secret"]
EOF

git init
docker run -v "$(pwd):/codebase" --workdir /codebase my-git-secret-img init
touch foo
docker run --rm -v "$(pwd):/codebase" --workdir /codebase my-git-secret-img add foo
docker run --rm -v "$(pwd):/codebase" --workdir /codebase my-git-secret-img tell [email protected]
docker run --rm -v "$(pwd):/codebase" --workdir /codebase my-git-secret-img hide

See this gif for the an example

git-secret

What happens?

A GPG permission warning is shown

What were you expecting to happen?

Not see any warnings

Proposal

Add an ENV variable like DISABLE_GPG_PERMISSIONS_WARNING that sets the --no-permission-warning flag on the gpg command.

Any other comments?

This behavior started when we switched from v0.4.0 to v0.5.0 and is also documented in the CHANGELOG via

Allow gnupg permission warnings in tell, hide, reveal, and removeperson (#811)

Unfortunately, there is no way to disable the warnings. In the setup outlined above, it is impossible to change the file permissions, see:

Docker Desktop sets permissions to read/write/execute for users, groups and others 0777 or a+rwx. This is not configurable.

(https://docs.docker.com/desktop/settings/windows/#file-sharing)

The default permissions on shared volumes are not configurable. If you are working with applications that require permissions different from the shared volume defaults at container runtime, you need to either use non-host-mounted volumes or find a way to make the applications work with the default file permissions.

(https://docs.docker.com/desktop/troubleshoot/topics/#permissions-errors-on-data-directories-for-shared-volumes)

Docker Desktop does not enable you to control (chmod) the Unix-style permissions on shared volumes for deployed containers, but rather sets permissions to a default value of 0777 (read, write, execute permissions for user and for group) which is not configurable.

(https://docs.docker.com/desktop/faqs/windowsfaqs/#can-i-change-permissions-on-shared-volumes-for-container-specific-deployment-requirements)

What versions of software are you using?

Operating system: (uname -a) …

MINGW64_NT-10.0-19044 LAPTOP-0DNL2Q02 3.3.6-bec3d608-341.x86_64 2023-02-22 08:29 UTC x86_64 Msys
(Win)

Linux application 5.15.49-linuxkit #1 SMP Tue Sep 13 07:51:46 UTC 2022 x86_64 GNU/Linux
(Docker; Alpine)

git-secret path: (which git-secret) …

/usr/bin/git-secret

git-secret version: (git secret --version) …

0.5.0

git version: (git --version) …

git version 2.38.5

Shell type and version: ($SHELL --version) …

GNU bash, version 5.2.15(1)-release (x86_64-alpine-linux-musl)

gpg version: (gpg --version) …

gpg (GnuPG) 2.2.40
@paslandau
Copy link
Author

FYI: As a workaround, we are currently using a shim for gpg that adds the --no-permission-warning back when --encrypt is used as an option:

#!/usr/bin/env bash

if [[ ! "$@" =~ "--no-permission-warning" && "$@" =~ "--encrypt" ]]
then
  /usr/bin/gpg $@ --no-permission-warning
else
  /usr/bin/gpg $@
fi

The file is located at /usr/local/bin/gpg ( /usr/local/bin/ comes first in the $PATH and will thus take precedence over the "real" gpg in /usr/bin/gpg).

But this is obviously not a desirable solution and probably has some side effects somewhere :(

This is done in our Dockerfile via:

# Note:
#  In v0.5.0 of `git-secret` the `--no-permission-warning` flag was removed from certain commands.
#  This issues a warning due to unsafe permissions when encrypting filed:
#  ```
#  gpg: WARNING: unsafe permissions on homedir
#  ```
#  Unfortunately, we cannot modify the permissions of the `homedir` in a Docker Desktop setup, because
#  the `homedir` is part of the repository and thus bind-mounted in the container:
#  ```
#  Docker Desktop sets permissions to read/write/execute for users, groups and others 0777 or a+rwx. This is not configurable.
#  ```
#  @see https://docs.docker.com/desktop/settings/windows/#file-sharing
#  Thus, we create a shim for `gpg` in `/usr/local/bin/gpg` ( `/usr/local/bin/` comes first in the $PATH 
#  and will thus take precedence over the "real" gpg in `/usr/bin/gpg` ). The shim will add the 
#  `--no-permission-warning` warning as option if:
#  - `--encrypt` is used 
#  - `--no-permission-warning` does not exist yet as an option
#  and then execute the real `gpg` with all given arguments (via `$@`) 
RUN path_to_original_gpg=$(which gpg) && \
    echo '#!/usr/bin/env bash'                                                 >> /usr/local/bin/gpg && \
    echo ''                                                                    >> /usr/local/bin/gpg && \
    echo 'if [[ ! "$@" =~ "--no-permission-warning" && "$@" =~ "--encrypt" ]]' >> /usr/local/bin/gpg && \
    echo 'then'                                                                >> /usr/local/bin/gpg && \
    echo '  '"${path_to_original_gpg}"' $@ --no-permission-warning'            >> /usr/local/bin/gpg && \
    echo 'else'                                                                >> /usr/local/bin/gpg && \
    echo '  '"${path_to_original_gpg}"' $@'                                    >> /usr/local/bin/gpg && \
    echo 'fi'                                                                  >> /usr/local/bin/gpg && \
    chmod +x /usr/local/bin/gpg

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@paslandau