server signing with php

Joseph Bruni jbruni@mac.com
Sat May 17 06:39:02 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You could write a small program in C that is setuid-root. That program =0D=

could call setreuid() in order to switch user ID to perform the =0D
signing. If you don't like the idea of your PHP web server directly =0D
running something as root, build it client-server to decouple the =0D
elevated privilege side from the web server. Even further, the database =0D=

and key manipulation program could then run on a second system isolated =0D=

via a firewall.=0D
=0D
This may be more work than your project requires, but you will need to =0D=

decide what amount of security is appropriate.=0D
=0D
=0D
On Thursday, May 15, 2003, at 06:24 AM, Bruce Robbins wrote:=0D
=0D
> We are attempting to build an application which stores keys on the =0D
> server and allows users to sign documents assembled on the server.=0D
> system() exec() et al will give access to the shell but will not =0D
> permit signing as the user can not be changed. Has anyone got any =0D
> ideas on this or a workaround?=0D
>=0D
- -- =0D
Let us think the unthinkable, let us do the undoable. Let us prepare to =0D=

grapple with the ineffable itself, and see if we may not eff it after =0D=

all. =E2=80=94 Douglas Adams=0D
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iEYEARECAAYFAj7Fu+4ACgkQ4rg/mXNDweOKdQCfelykh116QUdOKZj6Id88FZix
kAgAoJEjucDOWMuprbpYi1jawiARMYpO
=3DbOlU
-----END PGP SIGNATURE-----