• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 697
  • Last Modified:

How to make a GnuPG keyring for PHP user

I can use GnuPG to encrypt a file using a PuTTY command line.
However, it won't encrypt from my PHP website (using this line):

system("/usr/bin/gpg --encrypt -ao $crypted -r 'Rhiannon <rhiannon@viva.org.uk>' $plainTxt");

This is probably because php is running as a different user.

I need to create a keyring for the user who owns the php process and fetch the necessary keys to encrypt the data.

Can anybody guide me through this or point me in the direction of good documentation?

I am using Linux command line on shared hosting.
0
Daizzy-Mae
Asked:
Daizzy-Mae
  • 10
  • 8
1 Solution
 
uaynebCommented:
PHP should be running by the same user as the www process.  Can you ps and see who owns httpd or apache process?  
0
 
tty2Commented:
This is probably because php is running as a different user.
Use command su:

# su - <php-user>

and do in shell all you need under its UID.
0
 
tty2Commented:
Sorry for damned text formatting.

> This is probably because php is running as a different user.
Use command su:

# su - <php-user>

and do in shell all you need under its UID.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
tty2Commented:
It seems, that user apache has no shell :

# grep apache /etc/passwd
apache:x:81:81:added by portage for apache:/var/www:/sbin/nologin

OK, there is another way to configure gpg - if everyhing works under root, make the next:

# cp -rav /root/.gnupg /var/www
# chown -R apache.apache /var/www/.gnupg

Here /var/www - is a $HOME for uer apache according to /etc/passwd
0
 
Daizzy-MaeAuthor Commented:
uayneb:

Thank you - what is ps and how do I do it?
0
 
Daizzy-MaeAuthor Commented:
Hi tty2

How do I find out what $HOME is for user apache?

0
 
Daizzy-MaeAuthor Commented:
Thank you.

WEBSITE:
Here are the users from the php readout:
<?php
echo system("id");
?>
uid=186655(timetogoveggie.com) gid=100(users) groups=65533(nobody),65534(nogroup) uid=186655(timetogoveggie.com) gid=100(users) groups=65533(nobody),65534(nogroup)

COMMAND LINE:
When I do whoami using PuTTY I get this:
timetogoveggie.com

GnuPG:
I am trying to use keys I created for Rhiannon <rhiannon@viva.org.uk>
0
 
tty2Commented:
# grep apache /etc/passwd

Fields in /etc/passwd separated with ":". The second from the end field - homedir. The last field - shell.
0
 
Daizzy-MaeAuthor Commented:
tty2:

Thank you.

At the risk of sounding like an utter fool, is this what I need to type into the PuTTY command line?

# grep apache /services:webpages:t:i/timetogoveggie.com

It doesn't seem to do anything you see. It is the root direcroty of our website.
0
 
Daizzy-MaeAuthor Commented:
tty2

I did this:

<?php
echo($HOME);
?>

and got /root

so should I type this?

# cp -rav /services/webpages/t/i/timetogoveggie.com/.gnupg /root
# chown -R apache.apache /services/webpages/t/i/timetogoveggie.com/.gnupg

I've typed it into the PuTTY command line and hit return and it just moves to the next line without giving any information or an error.
0
 
tty2Commented:
Don't type "#". It's prompt sign.
And wait with this directory copying.
Is directory /services/webpages/t/i/timetogoveggie.com/.gnupg exists? Show me please a result of these two commands:

ls -la /services/webpages/t/i/timetogoveggie.com/.gnupg
ls -la $HOME/.gnupg
0
 
tty2Commented:
I doubt, that "/root" for php is the same that "/root" in shell.
There is one more way to solve your problem. gpg has parameter "--homedir" which is defaults to $HOME/.gnupg. All what you need is place gpg's config file in directory, accessible to php, and specify it as parameter for gpg

system("/usr/bin/gpg --homedir /some/dir/with/gpg/files ...
0
 
Daizzy-MaeAuthor Commented:
Thank you tty2, here are the results:

---------------------------------------------------------------------
ls -la /services/webpages/t/i/timetogoveggie.com/.gnupg
ls: /services/webpages/t/i/timetogoveggie.com/.gnupg: No such file or directory

---------------------------------------------------------------------
ls -la $HOME/.gnupg
[timetogoveggie.com@shell1c40 /]$ ls -la $HOME/.gnupg
total 36
drwxrwxrwx    2 timetogo web          4096 Mar 24 12:59 .
drwx--S---   16 timetogo web          4096 Mar 24 14:58 ..
-rw-------    1 timetogo web          8171 Mar 23 06:08 gpg.conf
-rw-r--r--    1 timetogo web          4071 Mar 23 06:32 pubring.gpg
-rw-r--r--    1 timetogo web          3174 Mar 23 06:08 pubring.gpg~
-rw-r--r--    1 timetogo web           600 Mar 24 12:59 random_seed
-rw-r--r--    1 timetogo web          2070 Mar 23 06:32 secring.gpg
-rw-r--r--    1 timetogo web          1280 Mar 23 06:42 trustdb.gpg
0
 
tty2Commented:
I have checked phpinfo.php on some server, parameter "include_path". There is a directory /usr/share/php/ mentioned. (please check, if you have this directory, too) So, let's copy .gnupg/ to this directory (or you can change it to what you have in "include_path")

cp -rav $HOME/.gnupg /usr/share/php

change owner of this directory to "apache" (check parameter "User/Group" in section "apache2handler"

chown -R apache /usr/share/php/.gnupg

... and try to run gpg with parameter "--homedir"

system("/usr/bin/gpg --homedir /usr/share/php/.gnupg ...
0
 
Daizzy-MaeAuthor Commented:
Hi tty2

My value for include_path is just "."
(https://secure40.securewebsession.com/timetogoveggie.com/vvfshop/phpinfo.php)

So I should:

1. Copy the folder ".gnupg" (which contains gpg.conf) the from the root of my website into a new folder called "gnupg-files".

2. Then go to PuTTY command line and type:

cp -rav $HOME/.gnupg .

3. Then in PuTTY type:

chown -R apache ./gnupg-files/.gnupg

4. Then in PuTTY type:
system("usr/bin/gpg --homedir ./gnupg-files/.gnupg --encrypt -ao $crypted -r 'Rhiannon <rhiannon@viva.org.uk>' $plainTxt")
0
 
tty2Commented:
1. Copy the folder ".gnupg" (which contains gpg.conf) the from the root of my website into a new folder called "gnupg-files".

No. There is no need to do that.

2. Then go to PuTTY command line and type: cp -rav $HOME/.gnupg .

"." means "current directory". What is the current directory for php, which you see in phpinfo (include_path), and for shell, in which you are working when you connect via ssh with putty? They may differ.
Better copy to /usr/local/php/

cp -rav $HOME/.gnupg /usr/local/php/

3. Then in PuTTY type:chown -R apache ./gnupg-files/.gnupg

chown -R apache /usr/local/php/.gnupg

4. Then in PuTTY type:system("usr/bin/gpg --homedir ./gnupg-files/.gnupg --encrypt -ao $crypted -r 'Rhiannon <rhiannon@viva.org.uk>' $plainTxt")

It is not in putty. In putty everything works, as you wrote above (yes?). It is problematic command of php, which you mentioned at the beginning. It must be

system("usr/bin/gpg --homedir /usr/local/php/.gnupg --encrypt -ao $crypted -r 'Rhiannon <rhiannon@viva.org.uk>' $plainTxt")
 
0
 
Daizzy-MaeAuthor Commented:
Thank you so much for your help and patience.

I understand what you have said now.

Unfortunately I have read only permission on the /usr/local/php/ folder as I am on shared hosting.

I am on bash so the chown command will not work (I am currently Googling for an alternative!).

Thank you again!
0
 
Daizzy-MaeAuthor Commented:
Thank you so much for your help and patience.

I understand what you have said now.

Unfortunately I have read only permission on the /usr/local/php/ folder as I am on shared hosting.

I am on bash so the chown command will not work (I am currently Googling for an alternative!).

Thank you again!
0
 
Daizzy-MaeAuthor Commented:
Thank you for your very in-depth knowledge and patience.
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 10
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now