How to preserve the permission/owner/group owner on the pubring.gpg, secring.gpg and trustdb.gpg
Peter Lebbing
peter at digitalbrains.com
Thu Aug 7 20:54:37 CEST 2014
Glad you could work it out. I still think the best solution lies
somewhere else, not sharing secring and having only one account update
pubring (or not sharing pubring).
But I have an important, but simple modification to your scheme.
Don't share anything else but pubring.gpg and secring.gpg. It's really
unnecessary and should be avoided. Include lines like
no-default-keyring
keyring /path/to/shared/pubring.gpg
secret-keyring /path/to/shared/secring.gpg
in each user's gpg.conf and don't share the other files.
I couldn't properly grasp your plan, so I have no comment on that. As
long as world-readable/writable secret files are out the window, it
seems a major improvement ;).
Oh! I just thought of something! If you include the following:
/home/admin/.gnupg/gpg.conf:
no-default-keyring
keyring /writable/by/admin/pubring.gpg
keyring /writable/by/test1/pubring.gpg
primary-keyring /writable/by/admin/pubring.gpg
/home/test1/.gnupg/gpg.conf:
no-default-keyring
keyring /writable/by/admin/pubring.gpg
keyring /writable/by/test1/pubring.gpg
primary-keyring /writable/by/test1/pubring.gpg
/home/test2/.gnupg/gpg.conf:
no-default-keyring
keyring /writable/by/admin/pubring.gpg
keyring /writable/by/test1/pubring.gpg
Then both admin and test1 can have their own writable pubrings which are
only readable by other users, and the users see the total of all keys in
either pubring.
This still leaves secring which is much simpler, since only admin needs
write access. Also, I don't think secrings stack like pubrings do, so
you couldn't do this.
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users
mailing list