gpg im CGI Script
Stefan Suurmeijer
stefan@symbolica.nl
Wed, 5 Jul 2000 20:07:14 +0200 (CEST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 5 Jul 2000, Billy Donahue wrote:
> On Wed, 5 Jul 2000, Dr. Bodo Zimmermann wrote:
>
> > In a CGI-Script (named gpg.pl, e.g.) I have called:
> >
> > system "gpg -se -r dozi /tmp/TEST";
> >
> > After https://dozi2/cgi-bin/gpg.pl
> >
> > I got in error_log des httpd:
> >
> > gpg: Warning: using insecure memory!
> > gpg: fatal: ~/.gnupg: canīt create directory: no such file or directory
> > secmem usage: 0/0 bytes in 0/0 blocks of pool 0/16384
>
> First of all, "chmod +s /usr/local/bin/gnupg"..
> Then it will use secure memory.
> Can't find or create ~/.gnupg because what's '~' ($HOME)?
> What user is this CGI running as? Give that user a home with a ~/.gnupg
> directory or something... Where were you planning on storing the keys
> if not there? What about a passphrase?
>
Hmm, SUID root (chmod +s) can be dangerous as recent exploits have
shown. Adding no-secmem-warning to your .gnupg/options file is a valid
alternative for getting rid of the secure memory message.
> > What should I do in order to get /tmp/TEST.gpg
> > which I got when running the CGI script directly from command line?
>
> Well, you were running as yourself on the command line... and you HAVE
> a ~/.gnupg directory.
>
> > P.S. My idea is, to make an "upload" of plain text via an SSL secured browser
> > an encrypt the uploaded file /tmp/TEST immediately after the upload, then
> > deleting the plain file /tmp/TEST
> >
> > I know there is a securty hole, but as long as WIN-gnupg doesn`t work ......
>
> Geez.. that's about as bad a hole as they come...
> Look at the permissions on the /tmp directory...
> At least make a dedicated, restricted directory for this TEST file.
> Better yet, don't write it to disk at all... GnuPG is perfectly
> happy taking a pipe from stdin. Keep the file contents in RAM
> and print it to GnuPG's standard input.
>
I have to agree with this all the way though... ;-)
Stefan Suurmeijer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5Y3lbwVt5lhn5J64RArl9AKCRGC9Q631Mb+zAnSFtBSSJaSs/ugCfZDpB
J6tE9BtwVxChg09zRp4ljf0=
=ciVz
-----END PGP SIGNATURE-----