Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

Re^6: CGI and GPG, how are you people doing it?

by mr_mischief (Monsignor)
on Apr 08, 2015 at 15:53 UTC ( [id://1122815]=note: print w/replies, xml ) Need Help??


in reply to Re^5: CGI and GPG, how are you people doing it?
in thread CGI and GPG, how are you people doing it?

The proper fix for this is, as I've said elsewhere in the thread, to make the web server run the code as the owner of the files, or perhaps better to have read-only access via shared group membership. You really don't want world writeable files and directories. Even if the only user accounts on the server are for the server daemons, you don't want to expose the the daemons to each others' influence. Plan for defense in depth.

If the only purpose for these files is for the web server and its CGI spawns to access them and you don't want to mess with changing who the CGI scripts run as, then just make a home directory for the web server user and put the GPG keys in that user's home directory. If they are used for absolutely as little as one other thing, then I wouldn't even want the private key readable by the web server. I'd set up a batching system running as the user that gets input from and sends output to the CGI application.

  • Comment on Re^6: CGI and GPG, how are you people doing it?

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://1122815]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others exploiting the Monastery: (3)
As of 2024-04-19 19:06 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found