How to preserve the permission/owner/group owner on the pubring.gpg, secring.gpg and trustdb.gpg

Sieu Truc sieutruc at gmail.com
Thu Aug 7 16:21:44 CEST 2014


 drwxrws---   admin:groupAdmin  1600  6 août  16:38 test1_pubring_temp  (set
gid)

->
 drwxrws---   test1:groupAdmin  1600  6 août  16:38 test1_pubring_temp  (set
gid)

Sorry

Truc


On Thu, Aug 7, 2014 at 4:18 PM, Sieu Truc <sieutruc at gmail.com> wrote:

> Especially thank to the idea of Peter, i finally got a solution :
>
> I describe the full problem and my goal again:
>  I have 3 types of users and each users belong to one specific group as
> following:
>   "admin" can do anything(add/remove secret or public keys)
>   "test1 (groupTest1)" can only manipulate public key (no operation with
> secret key)
>    test2 (groupTest2): can use only gpg --encrypt/sign/decrypt so he
> doesn't touch any key management action.
> And i have only root so set the access permission only one time when
> setting up the product, typically gpg folder and its components.
>
> And my design  (maybe not so good) for those purposes is like:
>
> gpgshare drwxrwxsr-x admin groupTest1
>    -rw-r--r--    admin:groupTest1    42  6 août  16:29 gpg-agent.conf
>    -rw-r--r--    admin:groupTest1  7960  6 août  16:29 gpg.conf
>    -rw-rw-r--   admin:groupTest1/test1:groupAdmin  9269  6 août  16:38
> pubring.gpg
>    -rw-rw----   admin:groupTest1   600  6 août  16:35 random_seed
>
>    -rw-rw-r--   admin:groupTest1  1600  6 août  16:38 trustdb.gpg
>    drwxr-sr-x   admin:groupTest1  1600  6 août  16:38 secfolder  (set gid)
>            -rw-r--r--    admin:groupTest1  2851  6 août  16:35 secfolder\
> secring.gpg
>    drwxr-s---   admin:groupTest1  1600  6 août  16:38 admin_pubring_temp  (set
> gid)
>    drwxrws---   admin:groupAdmin  1600  6 août  16:38 test1_pubring_temp  (set
> gid)
>
> So everytime, test1 imports a public key ,he copies pubring to  test1_pubring_temp
> folder and and overwrite the result to the original pubring.gpg. At that
> time, this new pubring has the access permissions like "test1:groupAdmin"
> (groupAdmin is inherited from test1_pubring_temp folder with setgid). So
> admin and test can manipulate pubring at the sametime.
> And similarly if admin importes a public key, the final pubring.gpg has
> "admin:groupTest1"(groupTest1 is set from admin_pubring_temp folder with
> setgid)
>
> (here i use cp -p )
>
> Of course, the permission numeric mode can be set via chmod ( they can do
> because they are owners of the files).
>
> Thank you.
>
> Truc
>
>
>
>
> On Thu, Aug 7, 2014 at 3:01 PM, Kristian Fiskerstrand <
> kristian.fiskerstrand at sumptuouscapital.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> On 08/07/2014 02:58 PM, Peter Lebbing wrote:
>> > On 07/08/14 14:34, Sieu Truc wrote:
>> >> No need to say sorry, iam really appreciated your help.
>> >
>>
>> ..
>>
>> >> And i have a question to you and Werner, how can gpg change the
>> >> user owner ship of the file ? normally only root can change the
>> >> ownership.
>>
>> I've not read the entire thread, but has the possibility of using
>> subkeys (different signing subkey for each participant and shared
>> encryption subkey that is rotated regularly) been considered for this
>> setup? As for the ability to add keys to the public key this seems
>> sub-optimal, what should be important is the validity of
>> aforementioned keys. This would be solved by using a Certificate
>> Authority (depending on the number of people that can add to it,
>> either a stand-alone CA or the primary key itself).
>>
>>
>>
>>
>> - --
>> - ----------------------------
>> Kristian Fiskerstrand
>> Blog: http://blog.sumptuouscapital.com
>> Twitter: @krifisk
>> - ----------------------------
>> Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
>> fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
>> - ----------------------------
>> Ad astra per aspera
>> To the stars through thorns
>> -----BEGIN PGP SIGNATURE-----
>>
>> iQIcBAEBCgAGBQJT43itAAoJEPw7F94F4TagtuIQALJvShbdl3TX3RL0C+JcN7qN
>> hG1io8doIHv/0YDgSRnsl+c+4K26+wvO9Jsucj8QL6ryPK1JVyuEv/CHBcYtLEHv
>> JnmlkjPhidbjCBOcHFBxJfAjOCElOgSSDPJpxV4LmDltgDnLwrDo0IuZ9Dr4wSR5
>> xC5Fmb9YvKfW9CiU51A3svH7dYwgHn59TlkAJy1OqsddWDozcPpRTZRWEpt8BHmc
>> QAfOgt1Sh4Cb/u4vXt1cMMWREZZaw4S/nytnBoQ40fH05r5cPNmicryNkrXrmAI0
>> BGjseLYdHmfIPCLYpToGBjIIwpCfHapWzVrwMy2reNwCiMM05GQNh9LrEogxN5GN
>> cmqStzbKlYLTWHn9VLXtcfPak74dDHwEV0s01fAArWrHNUP36QceJNPRxO7k+cVK
>> oLlBllru6HHoKt5sPH1qqN5BZQslT9P+dk/MGIYuhT/Xbl+UooywzNGGL9IIijLS
>> dVoVy9mKt+jWkYjoGeXcu1xloAebvjmNGMaU+Ali0VdeXEUhDKq/yX821ERvF3PR
>> HWy2HX+wZTGuQnwg+RJVyD5cbdquhuozfCaBBVy2Cj3bLQJCRRDtJ9Mgv/9AAttF
>> erPt0S4h4EVLSy8wbZZHUVaDsrcQvhz0ntpbi7EA47Jn4F0UFfjSyYxwa11TfHbC
>> GSWpMhnNt7+SoSysJjcr
>> =Guy+
>> -----END PGP SIGNATURE-----
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140807/5a4fbf20/attachment.html>


More information about the Gnupg-users mailing list