gpg im CGI Script

Stefan Suurmeijer stefan@symbolica.nl
Wed, 5 Jul 2000 20:07:14 +0200 (CEST) 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 5 Jul 2000, Billy Donahue wrote:

> On Wed, 5 Jul 2000, Dr. Bodo Zimmermann wrote:
> 
> > In a CGI-Script (named gpg.pl, e.g.) I have called:
> >
> > system "gpg -se -r dozi /tmp/TEST";
> >
> > After   https://dozi2/cgi-bin/gpg.pl
> >
> > I got in  error_log des httpd:
> >
> > gpg: Warning: using insecure memory!
> > gpg: fatal: ~/.gnupg: canīt create directory: no such file or directory
> > secmem usage: 0/0 bytes in 0/0 blocks of pool 0/16384
> 
> First of all, "chmod +s /usr/local/bin/gnupg"..
> Then it will use secure memory.
> Can't find or create ~/.gnupg because what's '~' ($HOME)?
> What user is this CGI running as?  Give that user a home with a ~/.gnupg
> directory or something... Where were you planning on storing the keys
> if not there? What about a passphrase?
>

Hmm, SUID root (chmod +s) can be dangerous as recent exploits have
shown. Adding no-secmem-warning to your .gnupg/options file is a valid
alternative for getting rid of the secure memory message. 
 
> > What should I do in order to get /tmp/TEST.gpg
> > which I got when running the CGI script directly from command line?
> 
> Well, you were running as yourself on the command line... and you HAVE
> a ~/.gnupg directory.
> 
> > P.S. My idea is, to make an "upload"  of plain text via an SSL secured browser
> > an encrypt the uploaded file /tmp/TEST immediately after the upload, then
> > deleting  the plain file /tmp/TEST
> >
> > I know there is a securty hole, but as long as WIN-gnupg doesn`t work ......
> 
> Geez.. that's about as bad a hole as they come...
> Look at the permissions on the /tmp directory...
> At least make a dedicated, restricted directory for this TEST file.
> Better yet, don't write it to disk at all... GnuPG is perfectly
> happy taking a pipe from stdin.  Keep the file contents in RAM
> and print it to GnuPG's standard input.
> 

I have to agree with this all the way though... ;-)


Stefan Suurmeijer


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5Y3lbwVt5lhn5J64RArl9AKCRGC9Q631Mb+zAnSFtBSSJaSs/ugCfZDpB
J6tE9BtwVxChg09zRp4ljf0=
=ciVz
-----END PGP SIGNATURE-----