Fri, 10 Apr 2026 03:14:11 +0000 https://bugs.horde.org/ticket/6872 gpg keys pair i think that it's a high security risk to save private key into the database i think that horde/imp must use keys (and keyrings) contained into the private/hidden directory .gnupg of every user; horde/imp must use gnupg command line (sudo'ed as spamassassin) for every operation Mon, 09 Jun 2008 16:30:17 +0000 https://bugs.horde.org/ticket/6872#t46128 > i think that it's a high security risk to save private key into the database Then don't use PGP on Horde if you find this not acceptable. > i think that horde/imp must use keys (and keyrings) contained into > the private/hidden directory .gnupg of every user; horde/imp must use > gnupg command line (sudo'ed as spamassassin) for every operation What user directory? Horde/IMP has no access to a user's home directory. Mon, 09 Jun 2008 16:44:42 +0000 https://bugs.horde.org/ticket/6872#t46130 >> i think that it's a high security risk to save private key into the database > > Then don't use PGP on Horde if you find this not acceptable. Indeed, for now I can not use it; but I like to use it in the future >> i think that horde/imp must use keys (and keyrings) contained into >> the private/hidden directory .gnupg of every user; horde/imp must use >> gnupg command line (sudo'ed as spamassassin) for every operation > > What user directory? Horde/IMP has no access to a user's home directory. not horde, but gnupg yes if you run gnugp sudo'ed with the logged user, i think it can access the user's home Tue, 10 Jun 2008 06:58:31 +0000 https://bugs.horde.org/ticket/6872#t46165 >>> i think that horde/imp must use keys (and keyrings) contained into >>> the private/hidden directory .gnupg of every user; horde/imp must use >>> gnupg command line (sudo'ed as spamassassin) for every operation >> >> What user directory? Horde/IMP has no access to a user's home directory. > > not horde, but gnupg yes > > if you run gnugp sudo'ed with the logged user, i think it can access > the user's home There is absolutely no requirement that users have accounts on the server running Horde. Not to mention that a web process having sudo powers is likely opening up a *way* bigger security hole than any security shortcomings you are trying to mask. Tue, 10 Jun 2008 07:04:16 +0000 https://bugs.horde.org/ticket/6872#t46167 >>>> i think that horde/imp must use keys (and keyrings) contained into >>>> the private/hidden directory .gnupg of every user; horde/imp must use >>>> gnupg command line (sudo'ed as spamassassin) for every operation >>> >>> What user directory? Horde/IMP has no access to a user's home directory. >> >> not horde, but gnupg yes >> >> if you run gnugp sudo'ed with the logged user, i think it can access >> the user's home > > There is absolutely no requirement that users have accounts on the > server running Horde. but it can; and it can have his .gnupg directory with his public/private keys and his keyrings already full >Not to mention that a web process having sudo > powers is likely opening up a *way* bigger security hole than any > security shortcomings you are trying to mask. i don't know... i'm not very expert... but i think that is easier to "crack" a db that a process ran with sudo Tue, 10 Jun 2008 07:29:13 +0000 https://bugs.horde.org/ticket/6872#t46170 >[...] > >> Not to mention that a web process having sudo >> powers is likely opening up a *way* bigger security hole than any >> security shortcomings you are trying to mask. > > i don't know... i'm not very expert... but i think that is easier to > "crack" a db that a process ran with sudo if you don't want to use sudo, i think you can use the gnupg's parameter --homedir (which value can be saved on user's preferences) Tue, 10 Jun 2008 11:45:44 +0000 https://bugs.horde.org/ticket/6872#t46186