gpg im CGI Script

Stefan Suurmeijer stefan@symbolica.nl
Wed, 5 Jul 2000 20:07:14 +0200 (CEST) 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 5 Jul 2000, Billy Donahue wrote:


> On Wed, 5 Jul 2000, Dr. Bodo Zimmermann wrote:

> 

> > In a CGI-Script (named gpg.pl, e.g.) I have called:

> >

> > system "gpg -se -r dozi /tmp/TEST";

> >

> > After   https://dozi2/cgi-bin/gpg.pl

> >

> > I got in  error_log des httpd:

> >

> > gpg: Warning: using insecure memory!

> > gpg: fatal: ~/.gnupg: canīt create directory: no such file or directory

> > secmem usage: 0/0 bytes in 0/0 blocks of pool 0/16384

> 

> First of all, "chmod +s /usr/local/bin/gnupg"..

> Then it will use secure memory.

> Can't find or create ~/.gnupg because what's '~' ($HOME)?

> What user is this CGI running as?  Give that user a home with a ~/.gnupg

> directory or something... Where were you planning on storing the keys

> if not there? What about a passphrase?

>


Hmm, SUID root (chmod +s) can be dangerous as recent exploits have
shown. Adding no-secmem-warning to your .gnupg/options file is a valid
alternative for getting rid of the secure memory message. 
 

> > What should I do in order to get /tmp/TEST.gpg

> > which I got when running the CGI script directly from command line?

> 

> Well, you were running as yourself on the command line... and you HAVE

> a ~/.gnupg directory.

> 

> > P.S. My idea is, to make an "upload"  of plain text via an SSL secured browser

> > an encrypt the uploaded file /tmp/TEST immediately after the upload, then

> > deleting  the plain file /tmp/TEST

> >

> > I know there is a securty hole, but as long as WIN-gnupg doesn`t work ......

> 

> Geez.. that's about as bad a hole as they come...

> Look at the permissions on the /tmp directory...

> At least make a dedicated, restricted directory for this TEST file.

> Better yet, don't write it to disk at all... GnuPG is perfectly

> happy taking a pipe from stdin.  Keep the file contents in RAM

> and print it to GnuPG's standard input.

> 


I have to agree with this all the way though... ;-)


Stefan Suurmeijer


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5Y3lbwVt5lhn5J64RArl9AKCRGC9Q631Mb+zAnSFtBSSJaSs/ugCfZDpB
J6tE9BtwVxChg09zRp4ljf0=
=ciVz
-----END PGP SIGNATURE-----