How to preserve the permission/owner/group owner on the pubring.gpg, secring.gpg and trustdb.gpg
peter at digitalbrains.com
Wed Aug 6 20:35:20 CEST 2014
On 06/08/14 16:57, Sieu Truc wrote:
> -rw-rw-rw-. 1 Test1 groupTest2 600 6 août 16:35 random_seed
> -rw-r--r--. 1 Test1 groupTest2 2851 6 août 16:35 secring.gpg
> -rw-rw-rw-. 1 Test1 groupTest2 1600 6 août 16:38 trustdb.gpg
These three sound rather insecure, especially world-writable stuff?!
That's pretty extreme. That opens you up to bugs in a lot of services,
not to mention that I think most developers develop with the expectation
that world-readable stuff does not need to be protected from reading by
anybody / any service, so they're not very vigilant about that either.
> Can you suggest to me any solution that will preserve the
> permission/user/group like as it was set originally.
My strong suggestion would be to change the process, giving each user
their own secret keyring. Can't you script a secret key import that
would import for both users?
Alternatively, and I'm not really in favour of this but it's your setup,
the man-pages for gpg and gpg2 mention:
> Don't change the permissions of a secret keyring back to user
> read/write only. Use this option only if you really know what you
> are doing.
But I would strongly suggest not making the three files mentioned
world-readable, let alone world-writable.
There is no need at all to share random_seed, so I would definitely give
each user their own copy of that for simplicity. It is written much more
often than secring.gpg.
I think trustdb.gpg is, or might also be, written on public key import.
If you fiddle with access permissions, you need to really think about
what you're doing. Your world-writable access makes me suspect you
haven't thought well about all the implications, so
--preserve-permissions might be a great way to shoot yourself in the
foot. I suppose you're using GnuPG for some kind of protection against
something nefarious, because I wouldn't know what else it is for (a
really over-the-top checksum? :). If you then kill off security in
another way, you only get a warm feeling, but so will your attacker,
when he uses a filesystem-traversal bug in some program running on the
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users