encrypting as "nobody"

Jack McKinney jackmc-gnupg-users@lorentz.com
Mon, 18 Sep 2000 13:08:33 -0500


    I am still not convinced of the security of GnuPG, yet (I am one of
those PGP 2.6.* die hards), but, I can tell you what I did with PGP to
make this work:
    Firstly, create a brand new key for this application: don't use your
regular one.
    Secondly, create a homedir for nobody, or, even better, create a
new user for the web server with the SERVER_ROOT as homedir.
    Thirdly, add the public portion of that key to the keyring in the
web user's homedir (i.e., export the key from your ring, and then
import it into the web users ring).  Now you can encrypt files from
the web server securely.  The most (theoretically) that someone could
get from hacking through the web server is the public key that files
are being encrypted with.  In an ideal world, the secret key wouldn't
even reside on the server: you create it on your secure desktop machine,
export the public portion, and copy it (scp!) to the server where you
import it into your web server's keyring.

Big Brother tells me that Erik Wessel wrote:

> I have a perl CGI script which I need to have encrypt data for me.
> Since it's a CGI it runs as "nobody". But on my system "nobody"
> doesn't have a home directory. So I tried using the --homdir flag
> (--homedir erik) to point to a different users home directory, but
> when I do, I get this error in my http error log:
> gpg: keyblock resource `erik': file open error
> gpg: keyblock resource `erik': file open error
> gpg: erik: skipped: public key not found
> gpg: [stdin]: encryption failed: public key not found
> I know this decreases security, but on the off chance it would work,
> I made my pubring.gpg readable by all, but I still get the same error.
> I can get the script to work fine when I run it under my user ID from
> the command line.
> Does anyone know what I'm missing?
> Erik Wessel
> 233 North Water Street
> Milwaukee WI 53202
> ph 414 | 765 | 0333
> fax 414 | 765 | 1207
> --
> Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
> with a subject of "unsubscribe" to gnupg-users-request@gnupg.org
- -- "In God We Trust. Jack McKinney Everyone else we monitor." jackmc@lorentz.com -Former NSA employee http://www.lorentz.com F4 A0 65 67 58 77 AF 9B FC B3 C5 6B 55 36 94 A6 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOcZaF0Zx0BGJTwrZAQGeJAP/Sxsg8s7ebyvga3+gRfmmNpW7K4ALinJL dLGwRRB60yNs9CyRBbTcD+jB5YhvbyAWrzgw6TeD8xdDZLe+rdyBP+qkHhAQjz7x nQvwrbUylcFh8KeGA5XFLqXBqls+Ic8nhT3QurP2LUkhKcU6TdLzeBHkwY2CKhoO hpF9SpgvrJI= =Ypmr -----END PGP SIGNATURE----- -- Archive is at http://lists.gnupg.org - Unsubscribe by sending mail with a subject of "unsubscribe" to gnupg-users-request@gnupg.org