Encrypting Web Forms

Richard Lynch lynch@cognitivearts.com
Mon, 19 Jul 1999 23:03:54 -0500

At 10:55 AM 7/9/99, James Thompson wrote:

>I do not understand why I can sucessfully send the gpg --help command via
>the web server but I can't encrypt info. Any ideas?
This is what *might* be going wrong, based on my experience a long, long time ago with version, errr, maybe 0.4? I think maybe the *environment* of the Apache web-server is not that of you in the shell (even when you are logging in as 'www' or 'nobody'). I don't think gpg relies on any environment variables, except maybe path, or perhaps home for the options file to load or a relative path to .gnupg and the keyrings. You may wish to explore suExec (www.apache.org) and PHP as a CGI, so that php is running as you, and not as 'www' and then gpg will know you're you, not 'www' Note that suExec and PHP's safe_mode are doing very similar things, and are mutually exclusive alternatives, so you may need to exclude --safe_mode as well as --with-apache when you compile the CGI binary of PHP. If you have sole access to the machine and believe it is otherwise secure, doing something like this: --- /path/not/in/webroot/mailme.inc ------ passthru("echo 'passphrase'\n$message | /usr/local/bin/gpg ..."); ------------------------------------------ --- /webroot/test.php3 ------------------- $message = 'BYE'; include('mailme.inc'); ------------------------------------------ is relatively secure: It is extremely insecure in a shared server or if others can write PHP scripts. Errrrr. Perhaps "relatively secure" is too strong, depending on why you're doing what you're doing, but I'm not a security expert, so I'll shut up about that now. The point is that having a keyring that 'nobody' can use to forge messages may be less secure than having a passphrase lying around in a file that allegedly only you can access. Any time you can do something from the command line and not the web it boils down to permissions/environment Take heart. It *can* be done, and if I can make it work (after weeks of trying different things) *anybody* can do it. :-) -- "TANSTAAFL" Rich lynch@cognitivearts.com webmaster@ and www. all of: R&B/jazz/blues/rock - jademaze.com music industry org - chatmusic.com acoustic/funk/world-beat - astrakelly.com sculptures - olivierledoux.com my own nascent company - l-i-e.com cool coffeehouse - uncommonground.com