How to authenticate permissions of a local user?
Art Hampton
arth@pacsg.css.mot.com
Wed, 16 Jun 1999 14:11:32 -0500
> Passphrases are really intended to certify the identity of the user running
> the command - and need to be interactive. There *is* an option "--passphrase-fd"
> which allows you to specify that the passphrase should be read from that
> (numeric) FD, but the documentation *also* says "Don't use this option if
> you can avoid it". Since you say you'd put the passphrase in a file only
> readably by the SUID script, an alternative would be to use a key *without*
> a passphrase stored in a keyring only readable by the SUID script. This is
> equivalent in terms of the protection it gives.
I didn't realize (or forgot) that you could create a key without a
passphrase.
I tried that method (passphrase in a keyring only readable by the setuid
script), and I got:
gpg: Ohhhh jeeee: ... this is a bug (rndunix.c:731:gather_random)
Within rndunix.c, it is intentionally bailing out because of my attempt
to use it in a setuid script:
/* make sure we are not setuid */
if( getuid() != geteuid() )
BUG();
So I'm left with the somewhat more cumbersome --passphrase-fd (which I
haven't yet tried, but hopefully I'll be more successful).
I'm sorry that I completely overlooked this option (--passphrase-fd) and
bugged the list....
Thanks for your help David.