CGI and GnuPG

Oliver Crow
Tue Jun 26 21:44:02 2001

I am trying to run GnuPG from a CGI script.  The goal of the script is to
PGP encrypt some data submitted to a web form using a predefined key, and
send that data to a predefined email address.  There is no neccessity to
perform any validity checking on the keys, since they have been manually

The problem is that the web server (as is customary) runs as user nobody,
but the gpg process assumes it will have write access to the ".gnupg"
directory.  The only way for that to be true is to make the the directory
world writeable.  I can arrange for the keyring to exist outside of that
directory (using --keyring), but the CGI script still uses the
random_seed, secring.pgp and trustdb.gpg files from the .gnupg directory.

Shouldn't gpg have a feature that allows it to work in read-only mode,
where it doesn't attempt to alter (or at least doesn't fail if it can't
alter) the random_seed, trustdb.gpg and secring.gpg files?  Otherwise
doesn't the fact that these files need to be world writeable make a
clearly exploitable security hole?  Any user (or script running as nobody)
could set the random_seed, or alter the trust or keyring files.

The particular error messages raised by gpg when the keyring directory is
not world writeable are:

gpg: fatal: /usr/home/user/.gnupg/trustdb.gpg: can't create lock
gpg: fatal: /usr/home/user/.gnupg/trustdb.gpg: can't open: Permission 
gpg: can't create `/usr/home/user/.gnupg/random_seed': Permission denied
   (although this one does not appear to be fatal)

The gpg command line I am using is:
"$gpg --batch --always-trust --no-default-keyring"
        . " --keyring /usr/home/user/pubring.gpg"
        . " -a -e -r $recipient_key -o $pgpoutput";

If I had root access to the webserver I might be able to setup suexec to
run the CGI script as a user other than nobody.  However that is not the