Paul L. Snyder on 27 Jul 2005 19:35:57 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

RE: [PLUG] GPG question/problem


Quoting George Gallen <ggallen@slackinc.com>:

> I thought about sudo running the script as myself, which should
> probably work. I just hoped there was a workaround with the switches.
> 
> I tried --keyring and --homedir, but I still get the permissions error.
> So...I guess I'll give sudo a try next.

You're probably getting permission denied because your ~/.gnupg directory
is set with 700 permissions...which is good.  You don't really want to
let just anyone poke around where you're storing your secret keyring.
You're probably better off trying to figure out the permissions problem
than using sudo.  If you get permissions wrong on the script that you're
letting others run via sudo you've just created a security hole.

Create a new directory in your home directory (for example) with 755
permissions, (or 750 if you want to limit access to the script to a
particular group).  Presumably, since you've given some people r-x
access to the script, you already have a directory with suitable
permissions.  Note that users who try to run the script will need
execute permissions on all the directories in the path above the
keychain file.  (This is why they can't get to your public keychain,
even if you've set permissions on the file...other users don't have
'x' on your .gnupg directory.)

Use gpg --export to export the key that everyone will need to access
into a new public keyring, and place that keyring in the new directory
or in the directory with the script.  Make sure the folks who are going
to run the script have read permissions for this one-key keyring.

In your script, add switches that look something like

  --keyring /home/ggallen/publicdir/scriptring.gpg --no-default-keyring

to your gpg command.

Haven't tested the above, but something along those lines is probably
what you are looking for.

pls
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug