Encrypting Web Forms
Richard Lynch
lynch@cognitivearts.com
Mon, 19 Jul 1999 23:03:54 -0500
At 10:55 AM 7/9/99, James Thompson wrote:
>I do not understand why I can sucessfully send the gpg --help command via
>the web server but I can't encrypt info. Any ideas?
This is what *might* be going wrong, based on my experience a long, long
time ago with version, errr, maybe 0.4?
I think maybe the *environment* of the Apache web-server is not that of you
in the shell (even when you are logging in as 'www' or 'nobody').
I don't think gpg relies on any environment variables, except maybe path,
or perhaps home for the options file to load or a relative path to .gnupg
and the keyrings.
You may wish to explore suExec (www.apache.org) and PHP as a CGI, so that
php is running as you, and not as 'www' and then gpg will know you're you,
not 'www'
Note that suExec and PHP's safe_mode are doing very similar things, and are
mutually exclusive alternatives, so you may need to exclude --safe_mode as
well as --with-apache when you compile the CGI binary of PHP.
If you have sole access to the machine and believe it is otherwise secure,
doing something like this:
--- /path/not/in/webroot/mailme.inc ------
passthru("echo 'passphrase'\n$message | /usr/local/bin/gpg ...");
------------------------------------------
--- /webroot/test.php3 -------------------
$message = 'BYE';
include('mailme.inc');
------------------------------------------
is relatively secure: It is extremely insecure in a shared server or if
others can write PHP scripts.
Errrrr. Perhaps "relatively secure" is too strong, depending on why you're
doing what you're doing, but I'm not a security expert, so I'll shut up
about that now. The point is that having a keyring that 'nobody' can use
to forge messages may be less secure than having a passphrase lying around
in a file that allegedly only you can access.
Any time you can do something from the command line and not the web it
boils down to permissions/environment
Take heart. It *can* be done, and if I can make it work (after weeks of
trying different things) *anybody* can do it. :-)
-- "TANSTAAFL" Rich lynch@cognitivearts.com webmaster@ and www. all of:
R&B/jazz/blues/rock - jademaze.com music industry org - chatmusic.com
acoustic/funk/world-beat - astrakelly.com sculptures - olivierledoux.com
my own nascent company - l-i-e.com cool coffeehouse - uncommonground.com