On Thu, 10 Sep 2020 10:34, Martin Pätzold said:
> the keys, therefore we had to extend the permissions for the
> "private-keys-v1.d" directory to group access.
I see. Just a hint: You may use the remote socket feature to run
gpg-agent under a different account. It might take a bit of effort to
>>> Long shot: does your system support ACLs?
>>
>> Using ACL would be possible, but we are reluctant to do so, since it
>> adds a second permissions layer that is only visible if you actively
>> look for it.
>
> Perhaps I am not understanding this correctly, but wouldn't that be a
> good thing?
On Thu, 10 Sep 2020 11:13:34 +0200, Martin Pätzold stated:
> >> Yes, we have some period tasks that are handled by Celery. Celery
> >> has its own user on the system and this user needs at least read
> >> access to the keys, therefore we had to extend the permissions for
> >> the "private-keys-v1.d
>> Yes, we have some period tasks that are handled by Celery. Celery has
>> its own user on the system and this user needs at least read access to
>> the keys, therefore we had to extend the permissions for the
>> "private-keys-v1.d" directory to group access.
>
> Long shot: does your system suppo
On 10/09/2020 09:34, Martin Pätzold wrote:
> Yes, we have some period tasks that are handled by Celery. Celery has
> its own user on the system and this user needs at least read access to
> the keys, therefore we had to extend the permissions for the
> "private-keys-v1.d" directory to group access.
Thanks for the clarification and the patch.
> Is there a special reason that you need to give group access to those
> files?
Yes, we have some period tasks that are handled by Celery. Celery has
its own user on the system and this user needs at least read access to
the keys, therefore we had t
