Unable to run GPG from PHP gpg: WARNING: unsafe ownership on homedir
Roberto Martinez
rmartinez at netcontac.com
Thu Dec 20 22:56:51 CET 2012
> Hi Roberto!
>
> On 12/20/2012 02:32 PM, Roberto wrote:
>> I made and script in PHP to encrypt information with GPG. It works fine
>> until I move it from a Plesk server to a cPanel server. I adjusted
>> paths, permissions and users but I get this errors:
>
> is your web server user running as the same user account you expect it
> to be?
Yes
However, certainly I am missing something. If you suggest a check list, it
would make me very happie.
often, on shared servers, the web server runs as www-data or
> some other user. Fortunately, www-data does not have write privileges
> inside other users' gnupg home directories. And making ~/.gnupg
> writable by www-data would open your account up to a whole new level of
> other problems if anyone else can write scripts that run as the web
> server user.
>
> I suspect what you want is to get the web server to run as a dedicated
> user specifically for your account. I don't know how to do that from
> within cpanel (and i'm sure you can find a better cpanel forum than
> gnupg-users).
>
>> $command = "echo ". $message ." | ". $gnupg ." -a -t --batch
>> --no-secmem-warning --homedir ". $gnupghome ." -e -r ". $uid ."
>> --compress-algo 1 --cipher-algo cast5";
>
> I understand that this is a test script, so i will not enumerate the
> ways in which the above can go horribly wrong if any of the relevant
> variables are replaced by user-supplied data. I just hope you don't
> plan on using anything like this in production. Shell script injection
> vulnerabilities are bad news.
You are right, I simplify the command for testing purposes, but again, any
security advice is welcome.
>
> Do the above explanations and concerns make sense?
>
> Good luck with your project!
>
> Regards,
>
> --dkg
More information about the Gnupg-users
mailing list