non root users
atom-gpg at suspicious.org
Mon Oct 13 12:31:39 CEST 2003
> I am running version 1.2.1 and I want to allow non-root users to be able
> to list the keys and encrypt for support issues. In my options file I
> have stated
> - -no-secmem-warning, but as a test user I still receive that messages
> about the memory.
> When I run gpg --list-keys as a test user I get nothing back...??? I
> have placed them in the proper group and have sgid'ed.
i'm ASSuming that you're doing this on *nix, since you mention root... i
don't know enough about windoze to know if it even has a root account...
btw, checking mail while logged in as root is a bad idea... best to fwd
the mail to a non-root account!!
AFAIK, the only *correct* way to share keys is give each user a copy of
the keyring in their ~/.gnupg/*
if they do already have keyrings, keys can be imported, per user... or (if
they don't have keyrings) you can just copy the keyrings (and options
file) into each users' home dir (and update the ownership). if they
already have a keyring, you can export all of your keys, and let each user
import that keyring into their own.
gpg --export -a > all-pub-keys.asc
and you'll get all of your public keys in one text file.
similar for "--export-secret-keys" and "--export-secret-subkeys".
depending on who has access to your system, you might want to make sure
that those files exist with restrictive permissions *before* you redirect
secret key info into them. also, look into `srm`. another ~secure~ (YMMV)
option is to:
gpg --export-secret-keys -a | openssl bf > all-secret-keys.enc
which will give you a symmetrically encoded copy of the secret keyring.
that can then be imported (by other users) through STDIN, with:
openssl bf -d < all-secret-keys.enc | gpg --import
you *might* be able to sym-link from your ~/.gnupg/ to theirs, and set up
a "gpg-user" group that has access to the files. of course, since any user
can then delete the keys (either through malice or accident), a secure
backup (with restrictive permissions/access) would be prudent. i'm not
sure if gpg will complain about liberal permissions on the keyrings....
i'm new here, so maybe there's another way.... of course, if this is for a
company that's laying people off, then ignore the above advice, and reset
all of your passwords (esp root) to "password" >;)
PGP key - http://smasher.suspicious.org/pgp.txt
3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3
"Treat us good, we'll treat you better.
Treat us bad, we'll treat you worse."
-- motto of The Blue Blaze Irregulars
More information about the Gnupg-users