Unable to run GPG from PHP gpg: WARNING: unsafe ownership on homedir

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Dec 20 21:48:51 CET 2012


Hi Roberto!

On 12/20/2012 02:32 PM, Roberto wrote:
> I made and script in PHP to encrypt information with GPG. It works fine
> until I move it from a Plesk server to a cPanel server. I adjusted
> paths, permissions and users but I get this errors:

is your web server user running as the same user account you expect it
to be?  often, on shared servers, the web server runs as www-data or
some other user.  Fortunately, www-data does not have write privileges
inside other users' gnupg home directories.  And making ~/.gnupg
writable by www-data would open your account up to a whole new level of
other problems if anyone else can write scripts that run as the web
server user.

I suspect what you want is to get the web server to run as a dedicated
user specifically for your account.  I don't know how to do that from
within cpanel (and i'm sure you can find a better cpanel forum than
gnupg-users).

> $command = "echo ". $message ." | ". $gnupg ." -a -t --batch --no-secmem-warning --homedir ". $gnupghome ." -e -r ". $uid ." --compress-algo 1 --cipher-algo cast5";

I understand that this is a test script, so i will not enumerate the
ways in which the above can go horribly wrong if any of the relevant
variables are replaced by user-supplied data.  I just hope you don't
plan on using anything like this in production.  Shell script injection
vulnerabilities are bad news.

Do the above explanations and concerns make sense?

Good luck with your project!

Regards,

	--dkg



More information about the Gnupg-users mailing list