The below simple script is used to check a valid passphrase in gpg-agent cache. When a passphrase is valid, it will just print OK but if a passphrase invalid then it prints a Warning message.

#!/bin/bash
# checkgpg
KEY_ID=2B705B8B6FA943B1
test=$(echo "1234" | gpg -q --batch --status-fd 1 --sign --local-user "$KEY_ID" --passphrase-fd 0 > /dev/null)
RET_VAL=$?

if [ $RET_VAL -eq 0 ]; then
        echo "OK, passphrase cached in gpg-agent is valid!"
else
        echo "Warning, passphrase cached in gpg-agent is invalid!"
fi

When I run the above script, it will also run a new gpg-agent process for storing a cached passphrase. So in this case it's PID 3309

No issue with the script above.

Next, I have few bash scripts that I set to run via cronjob. So, when each of this script running via cronjob, out of sudden I can see a random gpg-agent process with different PID running (and now I got 2 gpg-agents):

[root@earth chkrootkit]# pidof gpg-agent
392612 3309

where the PID 392612 is the new random gpg-agent that was running during the cronjob process.

I don't mind it's running but the big problem here is, when the new random gpg-agent process is running, and when I re-run the above bash script to check a valid passphrase in gpg-agent I will get the following error:

[root@earth]# ./checkgpg
gpg: signing failed: Inappropriate ioctl for device
gpg: signing failed: Inappropriate ioctl for device
Warning, passphrase cached in gpg-agent is invalid!

If the cronjob script has finished running, then I can see the valid passphrase again:

[root@earth chkrootkit]# ./testgpg
OK, passphrase cached in gpg-agent is valid!

So the error is caused by the random gpg-agent that is running until it terminates itself then the cached passphrase will become valid again. This is what makes me confused why running bash script can also run this gpg-agent process.

So, this is one example of my cronjob scripts that causes the new random gpg-agent to run (only when I run it via cronjob). If I run this via terminal it doesn't cause random gpg-agent created). I don't think this is important to demonstrate this code because all of the scripts from cronjob generated the same problem:

#!/bin/bash
PATH=/bin:/usr/bin:/sbin:/usr/sbin
export PATH
echo "======================================"
echo "[chkrootkit | info]: Chkrootkit is checking system..."

#Global variables
MYHOSTNAME=`/bin/hostname`
MYEMAIL="[email protected]"
CHKROOTKIT_LOG_PATH="/usr/local/maxicron/chkrootkit/log"
REPORT_FILE="/usr/local/maxicron/chkrootkit/log/chkrootkit-file.log"
REPORT_FILE_GREP="/usr/local/maxicron/chkrootkit/log/chkrootkit-file-grep.log"
MAIL_BIN="/usr/local/bin/mail"
WARNING_STATUS="N/A"

mkdir -p $CHKROOTKIT_LOG_PATH

sudo touch $REPORT_FILE
sudo chown root:adm $REPORT_FILE
sudo chmod 640 $REPORT_FILE
cat /dev/null > $REPORT_FILE

sudo touch $REPORT_FILE_GREP
sudo chown root:adm $REPORT_FILE_GREP
sudo chmod 640 $REPORT_FILE_GREP
cat /dev/null > $REPORT_FILE_GREP

echo "[chkrootkit | info]: Please wait..."
echo "Chkrootkit checked on `date`" >> $REPORT_FILE
/usr/local/chkrootkit/chkrootkit >> $REPORT_FILE
echo "Rootkit scan return: $?"
echo "" >> $REPORT_FILE
echo "==================SCAN COMPLETED=================" >> $REPORT_FILE
echo "" >> $REPORT_FILE
echo "================= WARNING NOTICE ================" >> $REPORT_FILE

if (grep -e "Warning" -e "INFECTED" -e "were found" $REPORT_FILE >> $REPORT_FILE_GREP) then
        WARNING_STATUS="WARNING"
        cat $REPORT_FILE_GREP >> $REPORT_FILE
        echo "[chkrootkit | info]: You may Check chkrootkit update manually" >> $REPORT_FILE
        echo "================== END OF NOTICE ================" >> $REPORT_FILE
        $MAIL_BIN -s "[chkrootkit | $WARNING_STATUS] Check Rootkit Scan Report  @ $MYHOSTNAME" $MYEMAIL < $REPORT_FILE
else
        WARNING_STATUS="OK"
        echo "" >> $REPORT_FILE
        echo "NO WARNING FOUND" >> $REPORT_FILE
        echo "" >> $REPORT_FILE
fi
$MAIL_BIN -s "[chkrootkit | $WARNING_STATUS] Check Rootkit Scan Report  @ $MYHOSTNAME" $MYEMAIL < $REPORT_FILE
echo "[chkrootkit | info]: Scan Status: $WARNING_STATUS"
echo "[chkrootkit | info]: Done checking system. Email notification is set to $MYEMAIL"
echo "======================================"

The crontab for the above script looks like this:

26 18 * * * root /root/testgpg > /dev/null

So, at the exact time, 18:26, I got a new random gpg-agent created. I don't see any problems with the code and nothing is related to gpg. Why a new gpg-agent process is running when I run the above script like this via cronjob? This also happen with other scripts like backup script etc. Is there a way to debug this where does it come from? I have spent few weeks to find out the reason behind this error and now I just want to know the reason and how to prevent this.

1

There are 1 answers

0
MaXi32 On BEST ANSWER

Finally I can reproduce this problem. When I run this script on cronjob:

!#/bin/bash
#testscript.sh
sudo sleep 60 

This will cause gpg passphrase invalid for 60 seconds and a 2nd random gpg-agent process will be running for 60 seconds.

But if I run this script in cronjob (without sudo), i see no problem:

!#/bin/bash
#testscript.sh
sleep 60 

NOT only that if I run the whole script as sudo in cronjob like this also a problem:

14 23 * * * root sudo /root/testscript.sh > /dev/null

NOTE that if I run the script as sudo directly from the terminal like this:

sudo testscript.sh

then it won't create the new process. This happens only when using sudo in cronjob.

So in brief, the reason why the random gpg-agent process was created is because of the sudo command being used in cronjob. I'm still not sure why the gpg-agent process respawn when using sudo command.

It's definitely a mystery-bug that I thought it was a programming-related error but that's ok I can finally prevent this error by not using sudo command in every of my script. Solved.