Setting up shared access to gpg on a UNIX server

Peter Lebbing peter at digitalbrains.com
Thu Jan 30 11:49:47 CET 2014


On 30/01/14 02:14, DUELL, BOB wrote:
> On my server, I created a directory named /opt/app/apps/dbmprod/gpg and set
> the permissions to global access (777).

> I set the permission on all the files in this directory to allow global
> "read" access (744).

If you're trying to achieve by the 744 what I think you're trying to achieve,
namely that users can't change the files, I think you're mistaken[1]. Look at
the following session I just did[2]:

---------------------8<------------->8---------------------

$ ll -R
.:
total 4
drwxrwxrwx 2 root root 4096 Jan 30 11:40 gpg

./gpg:
total 4
-rwxr--r-- 1 root root 17 Jan 30 11:40 gpg.conf
$ cd gpg
$ cat gpg.conf
intended content
$ echo "unwanted addition" >>gpg.conf
bash: gpg.conf: Permission denied
$ cp -a gpg.conf gpg.conf.new
$ echo "unwanted addition" >>gpg.conf.new
$ mv gpg.conf.new gpg.conf
mv: try to overwrite ‘gpg.conf’, overriding mode 0744 (rwxr--r--)? y
$ cat gpg.conf
intended content
unwanted addition
$ ll
total 4
-rwxr--r-- 1 peter peter 35 Jan 30 11:42 gpg.conf

---------------------8<------------->8---------------------

The thing is, you're not allowed to change any files, but you are allowed to
replace those files by your own. The sticky bit might help, but I'm not sure.
gpg does stuff with a bunch of files in the homedir, and I suspect that some
might need the permission to overwrite files one of your other users created.

I haven't thought about the rest of your setup, this is just one issue that
stood out to me so I commented on that.

HTH,

Peter.

[1] Additionally, why are all files executable?
[2] ll is shorthand for "ls -l"

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list