How to preserve the permission/owner/group owner on the pubring.gpg, secring.gpg and trustdb.gpg

Sieu Truc sieutruc at gmail.com
Thu Aug 7 16:18:47 CEST 2014 

Especially thank to the idea of Peter, i finally got a solution :

I describe the full problem and my goal again:
 I have 3 types of users and each users belong to one specific group as
following:
  "admin" can do anything(add/remove secret or public keys)
  "test1 (groupTest1)" can only manipulate public key (no operation with
secret key)
   test2 (groupTest2): can use only gpg --encrypt/sign/decrypt so he
doesn't touch any key management action.
And i have only root so set the access permission only one time when
setting up the product, typically gpg folder and its components.

And my design  (maybe not so good) for those purposes is like:

gpgshare drwxrwxsr-x admin groupTest1
   -rw-r--r--    admin:groupTest1    42  6 août  16:29 gpg-agent.conf
   -rw-r--r--    admin:groupTest1  7960  6 août  16:29 gpg.conf
   -rw-rw-r--   admin:groupTest1/test1:groupAdmin  9269  6 août  16:38
pubring.gpg
   -rw-rw----   admin:groupTest1   600  6 août  16:35 random_seed

   -rw-rw-r--   admin:groupTest1  1600  6 août  16:38 trustdb.gpg
   drwxr-sr-x   admin:groupTest1  1600  6 août  16:38 secfolder  (set gid)
           -rw-r--r--    admin:groupTest1  2851  6 août  16:35 secfolder\
secring.gpg
   drwxr-s---   admin:groupTest1  1600  6 août  16:38 admin_pubring_temp  (set
gid)
   drwxrws---   admin:groupAdmin  1600  6 août  16:38 test1_pubring_temp  (set
gid)

So everytime, test1 imports a public key ,he copies pubring to
test1_pubring_temp
folder and and overwrite the result to the original pubring.gpg. At that
time, this new pubring has the access permissions like
"test1:groupAdmin" (groupAdmin
is inherited from test1_pubring_temp folder with setgid). So admin and test
can manipulate pubring at the sametime.
And similarly if admin importes a public key, the final pubring.gpg has
"admin:groupTest1"(groupTest1 is set from admin_pubring_temp folder with
setgid)

(here i use cp -p )

Of course, the permission numeric mode can be set via chmod ( they can do
because they are owners of the files).

Thank you.

Truc




On Thu, Aug 7, 2014 at 3:01 PM, Kristian Fiskerstrand <
kristian.fiskerstrand at sumptuouscapital.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 08/07/2014 02:58 PM, Peter Lebbing wrote:
> > On 07/08/14 14:34, Sieu Truc wrote:
> >> No need to say sorry, iam really appreciated your help.
> >
>
> ..
>
> >> And i have a question to you and Werner, how can gpg change the
> >> user owner ship of the file ? normally only root can change the
> >> ownership.
>
> I've not read the entire thread, but has the possibility of using
> subkeys (different signing subkey for each participant and shared
> encryption subkey that is rotated regularly) been considered for this
> setup? As for the ability to add keys to the public key this seems
> sub-optimal, what should be important is the validity of
> aforementioned keys. This would be solved by using a Certificate
> Authority (depending on the number of people that can add to it,
> either a stand-alone CA or the primary key itself).
>
>
>
>
> - --
> - ----------------------------
> Kristian Fiskerstrand
> Blog: http://blog.sumptuouscapital.com
> Twitter: @krifisk
> - ----------------------------
> Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
> fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
> - ----------------------------
> Ad astra per aspera
> To the stars through thorns
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJT43itAAoJEPw7F94F4TagtuIQALJvShbdl3TX3RL0C+JcN7qN
> hG1io8doIHv/0YDgSRnsl+c+4K26+wvO9Jsucj8QL6ryPK1JVyuEv/CHBcYtLEHv
> JnmlkjPhidbjCBOcHFBxJfAjOCElOgSSDPJpxV4LmDltgDnLwrDo0IuZ9Dr4wSR5
> xC5Fmb9YvKfW9CiU51A3svH7dYwgHn59TlkAJy1OqsddWDozcPpRTZRWEpt8BHmc
> QAfOgt1Sh4Cb/u4vXt1cMMWREZZaw4S/nytnBoQ40fH05r5cPNmicryNkrXrmAI0
> BGjseLYdHmfIPCLYpToGBjIIwpCfHapWzVrwMy2reNwCiMM05GQNh9LrEogxN5GN
> cmqStzbKlYLTWHn9VLXtcfPak74dDHwEV0s01fAArWrHNUP36QceJNPRxO7k+cVK
> oLlBllru6HHoKt5sPH1qqN5BZQslT9P+dk/MGIYuhT/Xbl+UooywzNGGL9IIijLS
> dVoVy9mKt+jWkYjoGeXcu1xloAebvjmNGMaU+Ali0VdeXEUhDKq/yX821ERvF3PR
> HWy2HX+wZTGuQnwg+RJVyD5cbdquhuozfCaBBVy2Cj3bLQJCRRDtJ9Mgv/9AAttF
> erPt0S4h4EVLSy8wbZZHUVaDsrcQvhz0ntpbi7EA47Jn4F0UFfjSyYxwa11TfHbC
> GSWpMhnNt7+SoSysJjcr
> =Guy+
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140807/e5cf70a3/attachment-0001.html>

More information about the Gnupg-users mailing list