Need some help with permissions and ownership when running cgi script as user

David cgi@bytesinteractive.com
Fri Feb 8 07:24:02 2002


Hi,

I've installed gpg on the server and successfully able to encrypt from a 
web form but its not exactly the way I want it.

Currently the cgi script runs under suexec hence as user however the above 
works only when the 3 .gpg files: secring.gpg, pubring.gpg and trustdb.gpg 
are owned and in the group of the user, and are in a folder under the CGI 
user's home directory.


 From a previous posting:

At 10:26 AM 1/25/02 +0100, Werner Koch wrote:
> > Q2. The public key ring is best owned by root. Is this true?
>
>It is always a good idea not to give write access to the CGI user, I'd
>create an extra user for this.


Now when I create a non-privileged user like gpgforkeys to own the keyring 
I get the following errors:

gpg: failed to create temporary file 
`/home/gpgforkeys/.gnupg/.#lk0x80ceff0.server1.mydomain.com.2173': 
Permission denied
gpg: fatal: /home/gpgforkeys/.gnupg/trustdb.gpg: can't create lock
secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/16384

Is it possible to have the public keyring owned by the non-cgi user and 
stored above document root yet for the CGI user to write what needs to be 
written (which will have to be in a folder under its home directory because 
of the suexec.).

The bottom line is I want to use suexec to run the script and yet I don't 
want the key ring owned by the CGI user.

I hope I'm not making mountain our of a mole hill but I'm trying to create 
an optimal secure setup (which I'm learning about as I do it.)

Thanks in advance
David