drwxrws--- admin:groupAdmin 1600 6 août 16:38 test1_pubring_temp (set gid)
-> drwxrws--- test1:groupAdmin 1600 6 août 16:38 test1_pubring_temp (set gid) Sorry Truc On Thu, Aug 7, 2014 at 4:18 PM, Sieu Truc <[email protected]> wrote: > Especially thank to the idea of Peter, i finally got a solution : > > I describe the full problem and my goal again: > I have 3 types of users and each users belong to one specific group as > following: > "admin" can do anything(add/remove secret or public keys) > "test1 (groupTest1)" can only manipulate public key (no operation with > secret key) > test2 (groupTest2): can use only gpg --encrypt/sign/decrypt so he > doesn't touch any key management action. > And i have only root so set the access permission only one time when > setting up the product, typically gpg folder and its components. > > And my design (maybe not so good) for those purposes is like: > > gpgshare drwxrwxsr-x admin groupTest1 > -rw-r--r-- admin:groupTest1 42 6 août 16:29 gpg-agent.conf > -rw-r--r-- admin:groupTest1 7960 6 août 16:29 gpg.conf > -rw-rw-r-- admin:groupTest1/test1:groupAdmin 9269 6 août 16:38 > pubring.gpg > -rw-rw---- admin:groupTest1 600 6 août 16:35 random_seed > > -rw-rw-r-- admin:groupTest1 1600 6 août 16:38 trustdb.gpg > drwxr-sr-x admin:groupTest1 1600 6 août 16:38 secfolder (set gid) > -rw-r--r-- admin:groupTest1 2851 6 août 16:35 secfolder\ > secring.gpg > drwxr-s--- admin:groupTest1 1600 6 août 16:38 admin_pubring_temp (set > gid) > drwxrws--- admin:groupAdmin 1600 6 août 16:38 test1_pubring_temp (set > gid) > > So everytime, test1 imports a public key ,he copies pubring to > test1_pubring_temp > folder and and overwrite the result to the original pubring.gpg. At that > time, this new pubring has the access permissions like "test1:groupAdmin" > (groupAdmin is inherited from test1_pubring_temp folder with setgid). So > admin and test can manipulate pubring at the sametime. > And similarly if admin importes a public key, the final pubring.gpg has > "admin:groupTest1"(groupTest1 is set from admin_pubring_temp folder with > setgid) > > (here i use cp -p ) > > Of course, the permission numeric mode can be set via chmod ( they can do > because they are owners of the files). > > Thank you. > > Truc > > > > > On Thu, Aug 7, 2014 at 3:01 PM, Kristian Fiskerstrand < > [email protected]> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> On 08/07/2014 02:58 PM, Peter Lebbing wrote: >> > On 07/08/14 14:34, Sieu Truc wrote: >> >> No need to say sorry, iam really appreciated your help. >> > >> >> .. >> >> >> And i have a question to you and Werner, how can gpg change the >> >> user owner ship of the file ? normally only root can change the >> >> ownership. >> >> I've not read the entire thread, but has the possibility of using >> subkeys (different signing subkey for each participant and shared >> encryption subkey that is rotated regularly) been considered for this >> setup? As for the ability to add keys to the public key this seems >> sub-optimal, what should be important is the validity of >> aforementioned keys. This would be solved by using a Certificate >> Authority (depending on the number of people that can add to it, >> either a stand-alone CA or the primary key itself). >> >> >> >> >> - -- >> - ---------------------------- >> Kristian Fiskerstrand >> Blog: http://blog.sumptuouscapital.com >> Twitter: @krifisk >> - ---------------------------- >> Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net >> fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 >> - ---------------------------- >> Ad astra per aspera >> To the stars through thorns >> -----BEGIN PGP SIGNATURE----- >> >> iQIcBAEBCgAGBQJT43itAAoJEPw7F94F4TagtuIQALJvShbdl3TX3RL0C+JcN7qN >> hG1io8doIHv/0YDgSRnsl+c+4K26+wvO9Jsucj8QL6ryPK1JVyuEv/CHBcYtLEHv >> JnmlkjPhidbjCBOcHFBxJfAjOCElOgSSDPJpxV4LmDltgDnLwrDo0IuZ9Dr4wSR5 >> xC5Fmb9YvKfW9CiU51A3svH7dYwgHn59TlkAJy1OqsddWDozcPpRTZRWEpt8BHmc >> QAfOgt1Sh4Cb/u4vXt1cMMWREZZaw4S/nytnBoQ40fH05r5cPNmicryNkrXrmAI0 >> BGjseLYdHmfIPCLYpToGBjIIwpCfHapWzVrwMy2reNwCiMM05GQNh9LrEogxN5GN >> cmqStzbKlYLTWHn9VLXtcfPak74dDHwEV0s01fAArWrHNUP36QceJNPRxO7k+cVK >> oLlBllru6HHoKt5sPH1qqN5BZQslT9P+dk/MGIYuhT/Xbl+UooywzNGGL9IIijLS >> dVoVy9mKt+jWkYjoGeXcu1xloAebvjmNGMaU+Ali0VdeXEUhDKq/yX821ERvF3PR >> HWy2HX+wZTGuQnwg+RJVyD5cbdquhuozfCaBBVy2Cj3bLQJCRRDtJ9Mgv/9AAttF >> erPt0S4h4EVLSy8wbZZHUVaDsrcQvhz0ntpbi7EA47Jn4F0UFfjSyYxwa11TfHbC >> GSWpMhnNt7+SoSysJjcr >> =Guy+ >> -----END PGP SIGNATURE----- >> > >
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
