6.0.0-beta6
4/10/26

[#6872] gpg keys pair
Summary gpg keys pair
Queue IMP
Queue Version 4.2
Type Bug
State Not A Bug
Priority 1. Low
Owners
Requester kkkrrruuulll (at) yahoo (dot) it
Created 6/9/08 (6514 days ago)
Due
Updated 6/10/08 (6513 days ago)
Assigned
Resolved 6/9/08 (6514 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch No

History
06/10/2008 11:45:44 AM kkkrrruuulll (at) yahoo (dot) it Comment #6 Reply to this comment
[...]
Not to mention that a web process having sudo
powers is likely opening up a *way* bigger security hole than any
security shortcomings you are trying to mask.
i don't know... i'm not very expert... but i think that is easier to
"crack" a db that a process ran with sudo
if you don't want to use sudo, i think you can use the gnupg's 
parameter --homedir (which value can be saved on user's preferences)
06/10/2008 07:29:13 AM kkkrrruuulll (at) yahoo (dot) it Comment #5 Reply to this comment

[Show Quoted Text - 13 lines]
but it can; and it can have his .gnupg directory with his 
public/private keys and his keyrings already full
Not to mention that a web process having sudo
powers is likely opening up a *way* bigger security hole than any
security shortcomings you are trying to mask.
i don't know... i'm not very expert... but i think that is easier to 
"crack" a db that a process ran with sudo
06/10/2008 07:04:16 AM Michael Slusarz Comment #4 Reply to this comment

[Show Quoted Text - 10 lines]
There is absolutely no requirement that users have accounts on the 
server running Horde. Not to mention that a web process having sudo 
powers is likely opening up a *way* bigger security hole than any 
security shortcomings you are trying to mask.
06/10/2008 06:58:31 AM kkkrrruuulll (at) yahoo (dot) it Comment #3 Reply to this comment
i think that it's a high security risk to save private key into the database
Then don't use PGP on Horde if you find this not acceptable.
Indeed, for now I can not use it; but I like to use it in the future
i think that horde/imp must use keys (and keyrings) contained into
the private/hidden directory .gnupg of every user; horde/imp must use
gnupg command line (sudo'ed as spamassassin) for every operation
What user directory?  Horde/IMP has no access to a user's home directory.
not horde, but gnupg yes



if you run gnugp sudo'ed with the logged user, i think it can access 
the user's home


06/09/2008 04:44:42 PM Michael Slusarz Comment #2
Priority ⇒ 1. Low
State ⇒ Not A Bug		 Reply to this comment
i think that it's a high security risk to save private key into the database
Then don't use PGP on Horde if you find this not acceptable.
i think that horde/imp must use keys (and keyrings) contained into
the private/hidden directory .gnupg of every user; horde/imp must use
gnupg command line (sudo'ed as spamassassin) for every operation
What user directory?  Horde/IMP has no access to a user's home directory.
06/09/2008 04:30:17 PM kkkrrruuulll (at) yahoo (dot) it Comment #1
Priority ⇒ 3. High
Type ⇒ Bug
Summary ⇒ gpg keys pair
Queue ⇒ IMP
Milestone ⇒
Patch ⇒ No
State ⇒ Unconfirmed		 Reply to this comment
i think that it's a high security risk to save private key into the database



i think that horde/imp must use keys (and keyrings) contained into the 
private/hidden directory .gnupg of every user; horde/imp must use 
gnupg command line (sudo'ed as spamassassin) for every operation
New Ticket
My Tickets
Search
Query Builder
Reports

Saved Queries

Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers