[GH-ISSUE #1989] gpg-agent errors

gitea-mirror commented

2026-05-05 07:53:46 -06:00

Owner

Originally created by @infokiller on GitHub (Jun 11, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1989

When running with the default profile I get errors about gpg-agent. For example when running less tmpfile I get:

gpg-connect-agent: no running gpg-agent - starting '/usr/bin/gpg-agent'
gpg-connect-agent: failed to create temporary file '/home/username/.gnupg/.#lk0x00000c45ee6397f0.hostname.12': Permission denied
gpg-connect-agent: can't connect to the agent: Permission denied
gpg-connect-agent: error sending standard options: No agent running

Firejail version:

firejail version 0.9.54

Compile time support:
	- AppArmor support is enabled
	- AppImage support is enabled
	- bind support is enabled
	- chroot support is enabled
	- file and directory whitelisting support is enabled
	- file transfer support is enabled
	- networking support is enabled
	- overlayfs support is enabled
	- private-home support is enabled
	- seccomp-bpf support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Running on Arch Linux with linux-hardened-apparmor kernel.

Even when running with no profile it seems like firejail is doing something with the gpg-agent. I ran firejail --noprofile /usr/bin/less tmpfile and got the output:

Parent pid 14574, child pid 14575
Child process initialized in 23.57 ms
gpg-connect-agent: no running gpg-agent - starting '/usr/bin/gpg-agent'
gpg-connect-agent: waiting for the agent to come up ... (5s)
gpg-connect-agent: connection to agent established

When the main process (less) exited, it seems the firejail invocation was still running and I had to use Ctrl-C to get the shell back.

NOTE: This doesn't happen only for less- I see it in other programs as well.

Originally created by @infokiller on GitHub (Jun 11, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1989 When running with the default profile I get errors about gpg-agent. For example when running `less tmpfile` I get: ``` gpg-connect-agent: no running gpg-agent - starting '/usr/bin/gpg-agent' gpg-connect-agent: failed to create temporary file '/home/username/.gnupg/.#lk0x00000c45ee6397f0.hostname.12': Permission denied gpg-connect-agent: can't connect to the agent: Permission denied gpg-connect-agent: error sending standard options: No agent running ``` Firejail version: ``` firejail version 0.9.54 Compile time support: - AppArmor support is enabled - AppImage support is enabled - bind support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` Running on Arch Linux with linux-hardened-apparmor kernel. Even when running with no profile it seems like firejail is doing something with the gpg-agent. I ran `firejail --noprofile /usr/bin/less tmpfile` and got the output: ``` Parent pid 14574, child pid 14575 Child process initialized in 23.57 ms gpg-connect-agent: no running gpg-agent - starting '/usr/bin/gpg-agent' gpg-connect-agent: waiting for the agent to come up ... (5s) gpg-connect-agent: connection to agent established ``` When the main process (less) exited, it seems the firejail invocation was still running and I had to use `Ctrl-C` to get the shell back. NOTE: This doesn't happen only for less- I see it in other programs as well.

gitea-mirror closed this issue

2026-05-05 07:53:48 -06:00

gitea-mirror commented

2026-05-05 07:53:51 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 11, 2018):

Hmm, here's my output when I run firejail --noprofile /usr/bin/less /etc/profile (as an example):

Parent pid 12602, child pid 12603
Child process initialized in 35.74 ms
<less pops up>
Parent is shutting down, bye...

In other words, I can't reproduce this. I'm on Debian running a customized kernel, but I don't think the kernel configuration has much to do with this (unless the linux-hardened-apparmor kernel sets other things besides just the kernel?).

When the main process (less) exited, it seems the firejail invocation was still running and I had to use Ctrl-C to get the shell back.

I have seen this before (#1422 as an example). That being said, gpg-agent shouldn't be running at all for less! This is really bizarre...

@chiraag-nataraj commented on GitHub (Jun 11, 2018): Hmm, here's my output when I run `firejail --noprofile /usr/bin/less /etc/profile` (as an example): ``` Parent pid 12602, child pid 12603 Child process initialized in 35.74 ms <less pops up> Parent is shutting down, bye... ``` In other words, I can't reproduce this. I'm on Debian running a customized kernel, but I don't think the kernel configuration has much to do with this (unless the linux-hardened-apparmor kernel sets other things besides just the kernel?). > When the main process (less) exited, it seems the firejail invocation was still running and I had to use Ctrl-C to get the shell back. I have seen this before (#1422 as an example). That being said, `gpg-agent` shouldn't be running at all for `less`! This is really bizarre...

gitea-mirror commented

2026-05-05 07:53:53 -06:00

Author

Owner

@infokiller commented on GitHub (Jun 11, 2018):

Thanks for the quick response!
Yes, this is strange. BTW, this seems to happen for every firejailed program, not just less.

@infokiller commented on GitHub (Jun 11, 2018): Thanks for the quick response! Yes, this is strange. BTW, this seems to happen for every firejailed program, not just less.

gitea-mirror commented

2026-05-05 07:53:55 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 11, 2018):

BTW, this seems to happen for every firejailed program, not just less.

Right, but other programs might actually use gpg-agent. It's very curious because there's absolutely no reason less should be spawning gpg-agent

So if you spawn less tmpfile (no firejail) and look at something like htop in tree mode (so you can see parent and children processes), does less spawn anything? I wonder...

@chiraag-nataraj commented on GitHub (Jun 11, 2018): > BTW, this seems to happen for every firejailed program, not just less. Right, but other programs might actually use `gpg-agent`. It's very curious because there's absolutely no reason `less` should be spawning `gpg-agent` So if you spawn `less tmpfile` (no firejail) and look at something like `htop` in tree mode (so you can see parent and children processes), does `less` spawn anything? I wonder...

gitea-mirror commented

2026-05-05 07:53:56 -06:00

Author

Owner

@infokiller commented on GitHub (Jun 11, 2018):

Nope, when running less without firejail gpg-agent is not spawned.

@infokiller commented on GitHub (Jun 11, 2018): Nope, when running less without firejail gpg-agent is not spawned.

gitea-mirror commented

2026-05-05 07:53:59 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 11, 2018):

Huh, that's even more weird. Does it spawn if you just run firejail (or firejail --noprofile)?

@chiraag-nataraj commented on GitHub (Jun 11, 2018): Huh, that's even more weird. Does it spawn if you just run `firejail` (or `firejail --noprofile`)?

gitea-mirror commented

2026-05-05 07:54:00 -06:00

Author

Owner

@infokiller commented on GitHub (Jun 11, 2018):

Yup:

❯ firejail --noprofile
Parent pid 21165, child pid 21166
Child process initialized in 38.57 ms
gpg-connect-agent: no running gpg-agent - starting '/usr/bin/gpg-agent'
gpg-connect-agent: waiting for the agent to come up ... (5s)
gpg-connect-agent: connection to agent established
ln: failed to access '/home/user/.ssh/ssh_auth_sock': Permission denied

@infokiller commented on GitHub (Jun 11, 2018): Yup: ``` ❯ firejail --noprofile Parent pid 21165, child pid 21166 Child process initialized in 38.57 ms gpg-connect-agent: no running gpg-agent - starting '/usr/bin/gpg-agent' gpg-connect-agent: waiting for the agent to come up ... (5s) gpg-connect-agent: connection to agent established ln: failed to access '/home/user/.ssh/ssh_auth_sock': Permission denied ```

gitea-mirror commented

2026-05-05 07:54:01 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 11, 2018):

Okay, that definitely shouldn't be happening...

@chiraag-nataraj commented on GitHub (Jun 11, 2018): Okay, that _definitely_ shouldn't be happening...

gitea-mirror commented

2026-05-05 07:54:03 -06:00

Author

Owner

@Vincent43 commented on GitHub (Jun 11, 2018):

Can you try /usr/bin/firejail instead of firejail?

@Vincent43 commented on GitHub (Jun 11, 2018): Can you try `/usr/bin/firejail` instead of `firejail`?

gitea-mirror commented

2026-05-05 07:54:05 -06:00

Author

Owner

@infokiller commented on GitHub (Jun 11, 2018):

@Vincent43 that yielded the same result

OK, I think I understand where this is coming from- I have the following line in my ~/.profile: gpg-connect-agent updatestartuptty /bye >/dev/null.
My login shell is set to zsh and I sourced ~/.profile from my ~/.zshenv, so I guess firejail spawned a new shell each time that made these calls to gpg-connect-agent.
When I commented out my ~/.zshenv the problem was resolved.

Thanks a lot for all your help!

@infokiller commented on GitHub (Jun 11, 2018): @Vincent43 that yielded the same result OK, I think I understand where this is coming from- I have the following line in my `~/.profile`: `gpg-connect-agent updatestartuptty /bye >/dev/null`. My login shell is set to zsh and I sourced `~/.profile` from my `~/.zshenv`, so I guess firejail spawned a new shell each time that made these calls to `gpg-connect-agent`. When I commented out my `~/.zshenv` the problem was resolved. Thanks a lot for all your help!

Rows
Columns

[GH-ISSUE #1989] gpg-agent errors #1340