What are the standard ownership settings for files in the `.gnupg` folder?

Question

What are the standard ownership settings for files in the .gnupg folder?

After doing sudo chown u:u * mine now looks like this:

drwx------ 2 u u 4,0K jan 18 22:53 crls.d
drwx------ 2 u u 4,0K jan 18 22:33 openpgp-revocs.d
drwx------ 2 u u 4,0K jan 18 22:33 private-keys-v1.d
-rw------- 1 u u    0 sep 28 02:12 pubring.gpg
-rw-rw-r-- 1 u u 2,4K jan 18 22:33 pubring.kbx
-rw------- 1 u u   32 jan 18 22:28 pubring.kbx~
-rw------- 1 u u  600 jan 19 22:15 random_seed
-rw------- 1 u u    0 sep 28 02:13 secring.gpg
srwxrwxr-x 1 u u    0 jan 20 10:20 S.gpg-agent
-rw------- 1 u u 1,3K jan 18 23:47 trustdb.gpg

However, before that, originally at least pubring.gpg,secring.gpg and random_seed were owned by root.

Answer 1

The .gnupg directory and its contents should be owned by the user whose keys are stored therein and who will be using them. There is in principle no problem with a root-owned .gnupg directory in your home directory, if root is the only user that you use GnuPG as (in that case one could argue that the directory should live in /root or that you should do things differently).

I can see nothing wrong with the file permissions in the file listing that you have posted. The .gnupg folder itself should additionally be inaccessible by anyone other than the owner and user of the keys.

---

The reason why the files may initially have been owned by root could be because GnuPG was initially run as root or by a process executing as root (maybe some package manager software or similar).

---

GnuPG does permission checks and will warn you if any of the files have unsafe permissions. These warnings may be turned off (don't do that):

--no-permission-warning

Suppress the warning about unsafe file and home directory (--homedir) permissions. Note that the permission checks that GnuPG performs are not intended to be authoritative, but rather they simply warn about certain common permission problems. Do not assume that the lack of a warning means that your system is secure.

Note that the warning for unsafe --homedir permissions cannot be suppressed in the gpg.conf file, as this would allow an attacker to place an unsafe gpg.conf file in place, and use this file to suppress warnings about itself. The --homedir permissions warning may only be suppressed on the command line.

The --homedir directory referred to above is the .gnupg directory, usually at $HOME/.gnupg unless changed by using --homedir or setting GNUPGHOME.

Additionally, the file storing the secret keys will be changed to read/write only by default by GnuPG, unless this behaviour is turned off (don't do that either):

--preserve-permissions

Don't change the permissions of a secret keyring back to user read/write only. Use this option only if you really know what you are doing.

This applies to GnuPG 2.2.3, and the excerpts above are from the gpg2 manual on an OpenBSD system.

Answer 2

I can't see why the files have been owned by root. As you can see below, these files should be owned solely by the user.

These are standard ownership information of ~/.gnupg folder under Debian:

drwx------ 2 vlastimil vlastimil 4.0K Mar 24  2017 crls.d
drwx------ 2 vlastimil vlastimil 4.0K Dec  4  2016 private-keys-v1.d
-rw-r--r-- 1 vlastimil vlastimil  54K Nov  4 10:43 pubring.kbx
-rw-r--r-- 1 vlastimil vlastimil  52K Jun  8  2017 pubring.kbx~
-rw------- 1 vlastimil vlastimil  600 Jun 21  2017 random_seed
-rw------- 1 vlastimil vlastimil 1.5K Nov  4 10:44 trustdb.gpg

These are standard ownership information of ~/.gnupg folder under Mint:

drwx------ 2 vlastimil vlastimil 4.0K Jan 17 07:05 private-keys-v1.d
-rw-r--r-- 1 vlastimil vlastimil   50 Jul 13  2016 gpg-agent-info-vb-nb-mint
-rw------- 1 vlastimil vlastimil 9.2K Nov 21  2015 gpg.conf
-rw------- 1 vlastimil vlastimil 3.5M Jan 21 15:18 pubring.gpg
-rw------- 1 vlastimil vlastimil 3.5M Jan 17 07:06 pubring.gpg~
-rw------- 1 vlastimil vlastimil  600 Jan 21 15:20 random_seed
-rw------- 1 vlastimil vlastimil  20K Jan 21 15:18 secring.gpg
srwxrwxr-x 1 vlastimil vlastimil    0 Jan 21 08:49 S.gpg-agent
-rw------- 1 vlastimil vlastimil 2.6K Jan 17 07:06 trustdb.gpg