Re: GnuPG::Interface
I do this but don't use the module, just the shell.
You have to confirm the environment for the user. I reset HOME.
$ENV{'HOME'}=/home/gnupg;
.gnupg directory permission has to be 0700 owned by the webserver user, with
0600 on the files.
Plaintext is encrypted to the key and then securely deleted; I'm sure I just
didn't know what to do with the perl module, but I need gpg to work, not perl.
$gpg_result=system(/usr/local/bin/gpg --batch --armor -er nobody
$DIR/$gpg_file /bin/rm -P $DIR/$gpg_file );
# didn't work
if($gpg_result){
# do what you think is appropriate
}
# worked
unless($gpg_result){
# note that file gets .asc appended to its name
open GPG, $DIR/$gpg_file\.asc or warn $! asc open\n;
while(GPG){
$message_body.=$_;
}
close GPG or warn $! asc close\n;
# email the ciphertext, or whatever you want to do with it.
}
Stef
http://caunter.ca/contact.html
On Sun, 22 Apr 2007, Linda Jen wrote:
I am trying to run a CGI application that uses GnuPG::Interface
in perl. The application runs fine from the command line but not from
CGI. Of course, the CGI is running as user httpd and I have now changed the
homedir path to be owned by httpd also. The application creates a
temporary files for encrypting and signing. I have followed coding exactly
like that in examples. I have included a relevant snippet of
code below:
---
my $gnupg = GnuPG::Interface-new();
$gnupg-options-hash_init( armor = 1,
recipients = $data{'gpg_user'},
homedir = $data{'gpg_home'});
my $input = IO::Handle-new();
my $output = IO::Handle-new();
my $handles = GnuPG::Handles-new( stdin = $input,
stdout = $output);
$gnupg-encrypt(handles = $handles);
open(unENCR,/tmp/$prefix) || die You are pissing me off!;
@alltext = unENCR;
print $input @alltext;
close $input;
my @ciphertext = $output;
print @ciphertext ;
close $output;
wait;
open(ENCR,/tmp/$prefix2)|| die Cannot open file to encrypt;
print ENCR @ciphertext;
close(ENCR);
print @ciphertext;
# *** obtain the GnuPG signature data
open (ENCR, $encryptedfile) or die Unable to open encryptedfile -
$encryptedfil
e;
while(ENCR){
$message .= $_;
}
close(ENCR);
$base64message = encode_base64($message);
$url = $eacportal.'?sg='.$base64message.'comp='.$pm_shortname;
print \n$url\n;
exit(0);
I get the following messages in my apache server log:
[Fri Apr 20 14:10:45 2007] [error] [client 852.12.22.138] gpg: WARNING:
unsafe permissions on homedir
//.gnupg, referer:
http://y/test/login.test2.html
[Fri Apr 20 14:10:45 2007] [error] [client 852.12.22.138] gpg: failed to
create temporary file
`/xxx/.gnupg/.#lk0x9b7bf18.x.13310':
Permission denied, referer:
http://y/test/login.test2.html
[Fri Apr 20 14:10:45 2007] [error] [client 852.12.22.138] gpg: fatal:
//.gnupg/trustdb.gpg:
can't create lock, referer:
http://y/test/login.test2.html
[Fri Apr 20 14:10:45 2007] [error] [client 852.12.22.138] secmem usage:
1408/1408 bytes in 2/2 blocks of pool 1408/16384, referer:
http://y/test/login.test2.html
---
One suggestion I read was to chmod u+s on the executable. None of these
worked. Does anyone have an idea of a workaround for this or does
anyone have any suggestions or working examples including proper
permissions on directories and programs? Changing owners to
root or the server (httpd) doesn't seem to help. Thanks in advance.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using GNUPG with php scripts and webserver
Check error_log for the problem (if you can) - permissions on ~/.gnupg files
will cause things to not work and you must have environment exported for the
nobody user. I reset $ENV{'HOME'} in perl... there must be something
similar in php. If you can view the environment the server provides in the
browser you can see if you have what gpg requires. I assume the binary is in
$PATH for the webserver.
Keys must be readable and implicitly trusted for the webserver user and
this user must have somewhere to write if you are using temporary files.
Stef
http://caunter.ca/crypto.html
On Fri, 6 Apr 2007, womble wrote:
Hi I cant get php scripts from Apache to execute GNUPG comands.
If I run cmds or execute php scripts from the cmd line that works fine.
nobody:x:99:99:Nobody:/home/nobody:/bin/bash
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Help understanding gnupg needed!
get over it, publishing your email results in spam; I don't think that this suprises anyone anymore - deal with it in your own way and move on. The rage against spam has resulted in excellent filtering software, but the energy on both sides amounts to equilibrium. Stef http://caunter.ca/contact.html Is it true that if i publish it there my email address (which comes in the user id) may become a target for spammers? Yes, a far as I know. Anyway, damage done, you can't delete the key AFAIK. I hear that Thunderbird's spam filters are very good, so you shouldn't have too much trouble. Is it possible to show an existing webmail address in the user id which is not the email address i am going to use with encryption feature? This could be awkward for your email partners. For example, my mail program automatically looks for the key based on the email address. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Passphrase on the command line
Here is my idiom; checking for success is vital. See openssh documentation for details on key-based shell access. Test for transparent access, if using gpg, test for undisturbed encryption with --batch. You can pipe the dump (or tar) to gpg instead of gzip. File size will be reduced. The dd command can also hit a tape, though this isn't always practical with nightly cron stuff. OK=`/sbin/dump -0 -f - / | gzip | /usr/bin/ssh x.x.x.x dd of=/path/ok.gz 2/dev/null;echo $?` if [ $OK != 0 ] then echo `date` `hostname` backup failed $OK | mail you exit fi echo `date` `hostname` backup $OK | mail -s `hostname` backup $OK you Stef Caunter http://caunter.ca/contact.html Is there any documentation on how to do that? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
batch mode lack of randomness FreeBSD
I'm sure I have just missed this in the archives, but I cannot see mention of a way to get sufficient randomness when running gpg remotely in a shell account to batch generate key pairs, i.e. gpg --gen-key --batch tmp where tmp is populated according to doc/DETAILS example. Here is what I've done to help randomness. I'm just a user on this system so my options for IRQ mapping to acquire randomness are limited: I've started a child process that continually writes to a disk file during the --gen-key --batch job... I have populated ~/.gnupg/random_seed with 600 bytes from /dev/urandom I have asked the admin to add IRQs to rndcontrol. Is this just the way it is on FreeBSD (4.11-RELEASE)? There is plenty of randomness in /dev/urandom, and none in /dev/random... Stef http://caunter.ca/contact.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
