mutt: cannot decrypt ~/.muttrc.gpg

[hyder365]

Using firejail 0.9.72 on Arch, the new mutt profile causes a bit of chaos. My setup is slightly abnormal so it may be an edge case not worth fixing, but I'll describe it anyway:

Mutt has no ability to hash the stored passwords. Anything in .muttrc is in cleartext. To get around this, some people have a ~/.muttrc.gpg file that contains the login/config info in a gpg-encrypted form. In the normal ~/.muttrc, I have:

source "gpg -dq ~/.muttrc.gpg |"

This decrypts the real config on startup, but now fails because of firejail presumably blocking off access to that .gpg file (or gpg itself, but I assume that's allowed since so many people use gpg with mutt). The simplest fix I would propose is allowing read access to ~/.muttrc* rather than just ~/.muttrc. For now I can just whitelist access to that file.

edit: Whitelisting that file isn't enough because mutt can't read the gpg keyring it seems. Adding ~/.gnupg as read-only doesn't work because then temp files can't be made. Adding ~/.gnupg as read-write doesn't work because mutt can't access the smartcard holding the private key. I'll just have to disable firejail for this program for now.

[kmk3]

@hyder365 on Jan 25:

Using firejail 0.9.72 on Arch, the new mutt profile causes a bit of chaos.

Do you mean that it used to work on 0.9.70?

There was an email-related refactor done in 0.9.72 (#5571), but I don't
remember any changes related to these issues.

My setup is slightly abnormal so it may be an edge case not worth fixing, but
I'll describe it anyway:

Mutt has no ability to hash the stored passwords. Anything in .muttrc is in
cleartext. To get around this, some people have a ~/.muttrc.gpg file that
contains the login/config info in a gpg-encrypted form. In the normal
~/.muttrc, I have:

source "gpg -dq ~/.muttrc.gpg |"

This decrypts the real config on startup, but now fails because of firejail
presumably blocking off access to that .gpg file (or gpg itself, but I assume
that's allowed since so many people use gpg with mutt). The simplest fix I
would propose is allowing read access to ~/.muttrc* rather than just
~/.muttrc. For now I can just whitelist access to that file.

mutt.profile allows access to ~/.config/mutt.

Does it work if you store it somewhere like ~/.config/mutt/muttrc.gpg instead?

edit: Whitelisting that file isn't enough because mutt can't read the gpg
keyring it seems. Adding ~/.gnupg as read-only doesn't work because then temp
files can't be made.

Note that mutt.profile allows access to ~/.gnupg and ${RUNUSER}/gnupg, so it
should have access to the keyring (unless it's stored somewhere else).

Adding ~/.gnupg as read-write doesn't work because mutt can't access the
smartcard holding the private key. I'll just have to disable firejail for
this program for now.

Do you know what is the path to the smartcard device in /dev?

Does adding this to ~/.config/firejail/mutt.local work?

ignore nou2f
ignore private-dev

[hyder365]

Thanks for the reply. I'm now trying with the file in ~/.config/mutt/.muttrc.gpg (and ~/.muttrc updated to point here) and a ~/.config/firejail/mutt.profile that has:

include /etc/firejail/mutt.profile
ignore nou2f
ignore private-dev

But on startup mutt still shows a default config.

Reading profile /home/me/.config/firejail/mutt.profile
gpg: decryption failed: No secret key

Don't know the /dev node for the Nitrokey. I'd be glad to try any other suggestions.

[rusty-snake]

The instruction was to add the two lines to mutt.local. Using mutt.profile (the way you did) does not work. Can you re-check with mutt.local.

[kmk3]

@hyder365 on Jan 26:

Thanks for the reply. I'm now trying with the file in
~/.config/mutt/.muttrc.gpg (and ~/.muttrc updated to point here) and a
~/.config/firejail/mutt.profile that has:

include /etc/firejail/mutt.profile
ignore nou2f
ignore private-dev

But on startup mutt still shows a default config.

In order for the ignores to work, they have to appear before the commands in
question, so redirects should always appear last:

ignore nou2f
ignore private-dev

# Redirect
include ${CFG}/mutt.profile

Though as @rusty-snake mentioned, unless you actually want to override the
entire default profile, it's easier to just add commands to the .local file
(which is included by the .profile file in /etc).

Don't know the /dev node for the Nitrokey. I'd be glad to try any other
suggestions.

Try plugging/unplugging it and running dmesg -H to see if it says anything
about the device.

Or doing ls /dev with it plugged/unplugged and comparing the results.
Example:

# (disconnect it)
ls /dev | LC_ALL=C sort -u >before
# (connect it)
ls /dev | LC_ALL=C sort -u >after
diff before after

[hyder365]

Using ~/.config/firejail/mutt.local with only the two ignore lines mentioned above gets further, but now mutt prompts to insert the smartcard corresponding to the key for decryption of the .muttrc.gpg file.

[hyder365]

There's no difference in the /dev list with the device plugged in or unplugged, even after a reboot.

[rusty-snake]

What's about stuff deeper in /dev like /dev/input?

[hyder365]

What's about stuff deeper in /dev like /dev/input?

ls -R /dev | sort -u

with and without gives me only one line of diff, "189:641"

dmesg -H

with and without gives me

+[Jan26 15:01] usb 6-1: new full-speed USB device number 3 using uhci_hcd
+[  +0.190387] usb 6-1: New USB device found, idVendor=20a0, idProduct=4211, bcdDevice= 2.00
+[  +0.000009] usb 6-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
+[  +0.000005] usb 6-1: Product: Nitrokey Start
+[  +0.000006] usb 6-1: Manufacturer: Nitrokey
+[  +0.000003] usb 6-1: SerialNumber: FSIJ-xxx

[kmk3]

@hyder365 on Jan 26:

Using ~/.config/firejail/mutt.local with only the two ignore lines mentioned
above gets further, but now mutt prompts to insert the smartcard
corresponding to the key for decryption of the .muttrc.gpg file.

Does it work with firejail --profile=noprofile mutt?

noprofile.profile is intended to allow as much as possible (and so is not
secure).

If so, the problem most certainly lies in mutt.profile (rather than in firejail
itself). In which case, a way to debug it is to comment all of mutt.profile
and then uncomment lines until it breaks again. I'd suggest trying that and
then posting the lines causing the issue.

[hyder365]

Does it work with firejail --profile=noprofile mutt?

Yes, works fine with that.

If so, the problem most certainly lies in mutt.profile (rather than in firejail itself). In which case, a way to debug it is to comment all of mutt.profile and then uncomment lines until it breaks again. I'd suggest trying that and then posting the lines causing the issue.

If you have any specific ones you want me to try, I'll be glad to.

Reading the default mutt.profile, I see a comment about "Add the next lines to your mutt.local for oauth.py,S/MIME support." but the options are related to perl and python, neither of which I'm using for anything.

(All of those "mkdir" and "mkfile" lines in mutt.profile are extremely annoying and I have to clean up my home directory after every attempt to debug this. I didn't need any of those files or directories for mutt functionality.)

[kmk3]

@hyder365 on Jan 27:

Does it work with firejail --profile=noprofile mutt?

Yes, works fine with that.

If so, the problem most certainly lies in mutt.profile (rather than in
firejail itself). In which case, a way to debug it is to comment all of
mutt.profile and then uncomment lines until it breaks again. I'd suggest
trying that and then posting the lines causing the issue.

If you have any specific ones you want me to try, I'll be glad to.

I don't have a Nitrokey and I don't know how it is accessed, so my best guess
would have been those ignore commands.

Maybe strace could help find which paths it tries to access. Example:

strace /usr/bin/mutt 2>&1 | grep open

Other than that, what is left is brute force: Comment everything and uncomment
chunks of lines until the problem is narrowed down.

Reading the default mutt.profile, I see a comment about "Add the next lines
to your mutt.local for oauth.py,S/MIME support." but the options are related
to perl and python, neither of which I'm using for anything.

(All of those "mkdir" and "mkfile" lines in mutt.profile are extremely
annoying and I have to clean up my home directory after every attempt to
debug this. I didn't need any of those files or directories for mutt
functionality.)

Some seem to be completely unnecessary (like the ones related to text editors),
others I'm not sure.

Also, does (/can) mutt itself modify any path other than these?

• ~/Mail
• ~/postponed
• ~/sent

Are all other paths expected to always be created/modified manually from
outside of mutt, including the configuration files?

Note that if mutt creates a path in the home directory that is not whitelisted,
everything in it will be lost after the sandbox is closed.

[rusty-snake]

strace

strace -e %file -f -o mutt.strace /usr/bin/mutt