Hi Roberto!
On 12/20/2012 02:32 PM, Roberto wrote:
I made and script in PHP to encrypt information with GPG. It works fine
until I move it from a Plesk server to a cPanel server. I adjusted
paths, permissions and users but I get this errors:
is your web server user running as the same user account you expect it
to be?
Yes
However, certainly I am missing something. If you suggest a check list, it
would make me very happie.
often, on shared servers, the web server runs as www-data or
some other user. Fortunately, www-data does not have write privileges
inside other users' gnupg home directories. And making ~/.gnupg
writable by www-data would open your account up to a whole new level of
other problems if anyone else can write scripts that run as the web
server user.
I suspect what you want is to get the web server to run as a dedicated
user specifically for your account. I don't know how to do that from
within cpanel (and i'm sure you can find a better cpanel forum than
gnupg-users).
$command = "echo ". $message ." | ". $gnupg ." -a -t --batch
--no-secmem-warning --homedir ". $gnupghome ." -e -r ". $uid ."
--compress-algo 1 --cipher-algo cast5";
I understand that this is a test script, so i will not enumerate the
ways in which the above can go horribly wrong if any of the relevant
variables are replaced by user-supplied data. I just hope you don't
plan on using anything like this in production. Shell script injection
vulnerabilities are bad news.
You are right, I simplify the command for testing purposes, but again, any
security advice is welcome.
Do the above explanations and concerns make sense?
Good luck with your project!
Regards,
--dkg
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
