Automated Decryption via Script Running Setuid

Wed, 05 Apr 2006 15:11:17 -0700

Searched the archives back through Oct. '05 and didn't see a solution to my problem... Bottom line to problem: If a script running setuid as userA but called by userB contains a GPG command, GPG responds with userB information instead of userA.
I have a perl script 'parseMail_andSubmit_toDB.pl' that is being routed information from a C-wrapper that runs as userA. 
-rwsr-sr-x   userA   pass_STDIN_to_parseMail_andSubmit_toDB.exe
The info contained in STDIN is an emailed message with an attached file (encrypted with userA's public key). In parseMail_andSubmit_toDB.pl, I save the attachment to a file and call a second perl script 'decrypt_file.pl'. This script contains userA's passphrase which I am attempting to use to decrypt the file ala: "cd $dir_containing_file; echo \'${passphrase}\' | /usr/local/share/bin/gpg --passphrase-fd 0 --output ${file_to_decrypt}_cleartext$$ --decrypt $file_to_decrypt". 

However GPG responds with:
"cp: cannot create /.gnupg/gpg.conf: Permission denied
gpg: fatal: can't create directory `~/.gnupg': No such file or directory
secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768"


It is as-if GPG knows that userB originated the call (in this case the 
email daemon which probably doesn't have a /home/daemon and certainly 
doesn't have GPG keys).  So I setup a second test where jchurch (as 
userB) called the c-wrapper and changed the GPG command in 
decrypt_file.pl to 'echo \'Calling whoami\'; /usr/ucb/whoami; 
/usr/local/share/bin/gpg --list-keys' and I received the key info for 
userB instead of userA.  See below.


--------------------------------
pub   1024D/63A468CF 2006-03-23

uid                  John Church (Second Key working with Joel) 
<[EMAIL PROTECTED]>

sub   2048g/2D0142AB 2006-03-23

pub   1024D/F3D3D15D 2006-04-03
uid                  razoradm (Razor Administrator) <[EMAIL PROTECTED]>
sub   2048g/B73F17B6 2006-04-03

The key info for userA should have been returned.


Does anyone have any clue as to whether GPG is this smart?  I admit to 
being a newbie to GPG so perhaps I'm doing something stupid.  Any 
suggestions would be appreciated.


Thanks-in-advance,

John_inDenver













_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users














    











					Reply via email to