On 06/08/14 16:57, Sieu Truc wrote: > -rw-rw-rw-. 1 Test1 groupTest2 600 6 août 16:35 random_seed > -rw-r--r--. 1 Test1 groupTest2 2851 6 août 16:35 secring.gpg > -rw-rw-rw-. 1 Test1 groupTest2 1600 6 août 16:38 trustdb.gpg
These three sound rather insecure, especially world-writable stuff?! That's pretty extreme. That opens you up to bugs in a lot of services, not to mention that I think most developers develop with the expectation that world-readable stuff does not need to be protected from reading by anybody / any service, so they're not very vigilant about that either. > Can you suggest to me any solution that will preserve the > permission/user/group like as it was set originally. My strong suggestion would be to change the process, giving each user their own secret keyring. Can't you script a secret key import that would import for both users? Alternatively, and I'm not really in favour of this but it's your setup, the man-pages for gpg and gpg2 mention: > --preserve-permissions > Don't change the permissions of a secret keyring back to > user > read/write only. Use this option only if you really know what > you > are doing. But I would strongly suggest not making the three files mentioned world-readable, let alone world-writable. There is no need at all to share random_seed, so I would definitely give each user their own copy of that for simplicity. It is written much more often than secring.gpg. I think trustdb.gpg is, or might also be, written on public key import. If you fiddle with access permissions, you need to really think about what you're doing. Your world-writable access makes me suspect you haven't thought well about all the implications, so --preserve-permissions might be a great way to shoot yourself in the foot. I suppose you're using GnuPG for some kind of protection against something nefarious, because I wouldn't know what else it is for (a really over-the-top checksum? :). If you then kill off security in another way, you only get a warm feeling, but so will your attacker, when he uses a filesystem-traversal bug in some program running on the same machine. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
