Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
Setting up gpg on an IRIX web server
Greg at McKean
Feb 3, 2000, 12:33 PM
Post #1 of 10 (2145 views)
Permalink
To Whom it may concern,
I am in the process of trying to get gpg working on an IRIX web server that
I do not have telnet or direct access to. A gentle soul sent me a
pre-compiled binary of gpg v.1.0.0 which to my knowledge is working
correctly. I am currently faking a telnet session with perl but can only
view the output of any one command, I can't actually interact with it. When
I run the command "pgpfiles/gpg.bin" I always recieve the error:

gpg: Warning: using insecure memory!
gpg: ~/.gnupg: can't create directory: No such file or directory
gpg: keyblock resource `~/.gnupg': file open error
gpg: ~/.gnupg: can't create directory: No such file or directory
gpg: keyblock resource `~/.gnupg': file open error
gpg: processing message failed: eof

I created a directory called .gnupg off of the directory that contains gpg
(pgpfiles) but still recieve the above message. I'm not a UNIX person but I
figured that is where ~/.gnupg refers to. Where is it actually looking? I
also created the same dir off of my document root in case that is where it
was looking but recieved the same results. I can't actually create anything
off of the real root because I am on a virtual web server account.

Could someone point me to where I could find out 1) exactly which files are
absolutley nessesary for proper execution and 2)where do they belong? Or am
I possibly just missing an environment variable(like PGPPath for PGP) or
something that would tell gpg where to find it's support files? I've read
the handbook but it starts with "make"ing and doesn't really go into
configuration. What configuration info I could find assumes you have total
access to the machine in question and did a regular make. Also, as I said, I
don't have telnet access or an IRIX box to actually build anything myself
which makes this harder to do.

In the beginning of this fiasco I found a PGP v.2.6.2 IRIX binary and it
took me a couple of days to get it working on the server. I was able to
create the randseed.bin and keychains on a DOS box that also worked on the
IRIX server. Can I use those for gpg also or do I need to create new ones?
Is there a way to do this without the telnet or actuall IRIX box access?
I stopped developement of the PGP related scripts after talking with a
Network Associates rep who told me that MINIMUM pgp would cost $4500 (two
year subscription) to use on a commercial website. STEEEP. Plus considering
how they don't support IRIX I would be paying for the 2.6.2 version that I
found on the net, not a recent version. NICE.

In case it helps, when I run "gpg --gen-key" I get:

gpg (GnuPG) 1.0.0; Copyright (C) 1999 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: Warning: using insecure memory!
gpg: ~/.gnupg: can't create directory: No such file or directory
gpg: keyblock resource `~/.gnupg': file open error
gpg: ~/.gnupg: can't create directory: No such file or directory
gpg: keyblock resource `~/.gnupg': file open error
gpg: cannot open /dev/tty: No such device or address

which, at least to me, would indicate that the binary is good at least.

Thanks for any help,
Yes, I do know I ramble,

Greg McKean
Greg@McKean.com
PC Geek
Re: Setting up gpg on an IRIX web server [ In reply to ]
johanw at vulcan
Feb 3, 2000, 3:12 PM
Post #2 of 10 (2165 views)
Permalink
Greg McKean wrote:

> I run the command "pgpfiles/gpg.bin" I always recieve the error:
>
> gpg: Warning: using insecure memory!

Add the following command-line option:

--no-secmem-warning
Suppress the warning about "using insecure memory".

Or make gpg suid root (chmod 4755 gpg). Secure memory is memory that can't
be swapped to disk. But on operating systems that support this feature you
need root priviliges to get such memory, ordinary users can't. Setting a
program suid root allows the program to run with root privs although it is
started by another user - a potential security rusk so you should enable
this by hand. Without root access to the machine you can't without hacking
the machine.

> gpg: ~/.gnupg: can't create directory: No such file or directory

The tilde (~) stands for the users home directory in gpg. I assume (but I
can be mistaken here) that in this case it is the homedirectory of the user
that owns the webserver, or the user the webserver starts its scripts as
(that can be different due to security reasons).

However, you can override this directory: from the man page:

ENVIRONMENT
HOME Used to locate the default home directory.

GNUPGHOME If set directory used instead of "~/.gnupg".


--homedir directory
Set the name of the home directory to directory
If this option is not used it defaults to
"~/.gnupg". It does not make sense to use this
in a options file. This also overrides the envi-
ronment variable "GNUPGHOME".

I'll mail you the man page.

> I created a directory called .gnupg off of the directory that contains gpg
> (pgpfiles) but still recieve the above message. I'm not a UNIX person but I
> figured that is where ~/.gnupg refers to. Where is it actually looking? I
> also created the same dir off of my document root in case that is where it
> was looking but recieved the same results. I can't actually create anything
> off of the real root because I am on a virtual web server account.

Did you get that working? I tried, and although it works fine in my local
network, I can't get it to work on a server connected to the internet. :-(

> In the beginning of this fiasco I found a PGP v.2.6.2 IRIX binary and it
> took me a couple of days to get it working on the server. I was able to
> create the randseed.bin and keychains on a DOS box that also worked on the
> IRIX server. Can I use those for gpg also or do I need to create new ones?

Randseed.bin is re-created by gpg (I don't know if Irix has a decent random
device but I assume it has because gpg would have complained otherwise). The
keyfiles can be imported only if you load the RSA and IDEA modules.

> Is there a way to do this without the telnet or actual IRIX box access?

I don't know.

> I stopped developement of the PGP related scripts after talking with a
> Network Associates rep who told me that MINIMUM pgp would cost $4500 (two
> year subscription) to use on a commercial website. STEEEP.

You could in that case also use pgp 2.6.3i - no licenses required.

--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
Re: Setting up gpg on an IRIX web server [ In reply to ]
mstevens at imaginet
Feb 4, 2000, 3:44 AM
Post #3 of 10 (2159 views)
Permalink
On Thu, Feb 03, 2000 at 11:12:08PM +0100, Johan Wevers wrote:
> Greg McKean wrote:
>
> > I run the command "pgpfiles/gpg.bin" I always recieve the error:
> >
> > gpg: Warning: using insecure memory!
>
> Add the following command-line option:
>
> --no-secmem-warning
> Suppress the warning about "using insecure memory".
>
> Or make gpg suid root (chmod 4755 gpg). Secure memory is memory that can't
> be swapped to disk. But on operating systems that support this feature you
> need root priviliges to get such memory, ordinary users can't. Setting a
> program suid root allows the program to run with root privs although it is
> started by another user - a potential security rusk so you should enable
> this by hand. Without root access to the machine you can't without hacking
> the machine.

The mlock(3) man page on OpenBSD suggests that regular users can lock
memory, but only up to a preset quota:

-cut--
Since physical memory is a potentially scarce resource, processes are
limited in how much they can lock down. A single process can mlock
the minimum of a system-wide ``wired pages'' limit and the per-process
RLIMIT_MEMLOCK resource limit.
-cut--
Re: Setting up gpg on an IRIX web server [ In reply to ]
D.M.Pick at qmw
Feb 4, 2000, 4:21 AM
Post #4 of 10 (2136 views)
Permalink
> mstevens> The mlock(3) man page on OpenBSD suggests that regular users can lock
> mstevens> memory, but only up to a preset quota:
>
> mstevens> -cut--
> mstevens> Since physical memory is a potentially scarce resource, processes are
> mstevens> limited in how much they can lock down. A single process can mlock
> mstevens> the minimum of a system-wide ``wired pages'' limit and the per-process
> mstevens> RLIMIT_MEMLOCK resource limit.
> mstevens> -cut--
>
> it would be nice for other os-s to support this so usage of setuid can
> be avoided. does anyone know whether there is any work being done to
> support this? (at least for linux?)

FreeBSD has the identical text in the mlock(3) man page.

--
David Pick
Re: Setting up gpg on an IRIX web server [ In reply to ]
wk at gnupg
Feb 4, 2000, 7:39 AM
Post #5 of 10 (2136 views)
Permalink
On Fri, 4 Feb 2000, sen_ml@eccosys.com wrote:

> it would be nice for other os-s to support this so usage of setuid can
> be avoided. does anyone know whether there is any work being done to
> support this? (at least for linux?)

according to Dave Miller this is not allowed by POSIX. The solution
for Linux are Capabilities (there is no Posix standard but it is
decribed in the draft standard). GnuPG supports it and IIRC Rèmi
supplied the patches and it seems to work. You have to do a
./configure --use-capabilities to enable it. However, you need an
extra library (libpcap) to make irt work.


--
Werner Koch at guug.de www.gnupg.org keyid 621CC013
Re: Setting up gpg on an IRIX web server [ In reply to ]
lhecking at nmrc
Feb 4, 2000, 9:25 AM
Post #6 of 10 (2134 views)
Permalink
sen_ml@eccosys.com writes:
> > it would be nice for other os-s to support this so usage of setuid can
> > be avoided. does anyone know whether there is any work being done to
> > support this? (at least for linux?)
>
> D.M.Pick> FreeBSD has the identical text in the mlock(3) man page.
>
> i knew there was a reason i still run freebsd on some machines ;-)
>
> so, perhaps netbsd also has the support too. any netbsd users out
> there?

The NetBSD mlock(3) man page is the same:
http://www.flame.org/cgi-bin/uncgi/hman?page=mlock&sect=&arch=i386

Need to check on my home system whether or not I installed gpg
suid ... this is m68k, but it shouldn't be different from i386.
Re: Setting up gpg on an IRIX web server [ In reply to ]
D.M.Pick at qmw
Feb 4, 2000, 10:48 AM
Post #7 of 10 (2134 views)
Permalink
> > it would be nice for other os-s to support this so usage of setuid can
> > be avoided. does anyone know whether there is any work being done to
> > support this? (at least for linux?)
>
> D.M.Pick> FreeBSD has the identical text in the mlock(3) man page.
>
> i knew there was a reason i still run freebsd on some machines ;-)
>
> so, perhaps netbsd also has the support too. any netbsd users out
> there?

The man page also stated that the mlock call was introduced in BSD 4.4,
so I guess all systems derived from it probably behave the same.

--
David Pick
Re: Setting up gpg on an IRIX web server [ In reply to ]
rguyom at mail
Feb 4, 2000, 4:19 PM
Post #8 of 10 (2133 views)
Permalink
On Fri, Feb 04, 2000 at 03:39:03PM +0100, Werner Koch wrote:
> On Fri, 4 Feb 2000, sen_ml@eccosys.com wrote:
>
> > it would be nice for other os-s to support this so usage of setuid can
> > be avoided. does anyone know whether there is any work being done to
> > support this? (at least for linux?)
>
> according to Dave Miller this is not allowed by POSIX. The solution
> for Linux are Capabilities (there is no Posix standard but it is
> decribed in the draft standard). GnuPG supports it and IIRC Rémi
> supplied the patches and it seems to work. You have to do a
> ./configure --use-capabilities to enable it. However, you need an
> extra library (libpcap) to make it work.

You will also need a kernel patch to add (semi)persistant storage of
capabilities.
Re: Setting up gpg on an IRIX web server [ In reply to ]
rguyom at mail
Feb 4, 2000, 4:28 PM
Post #9 of 10 (2138 views)
Permalink
On Fri, Feb 04, 2000 at 11:21:41AM +0000, David Pick wrote:
>
> > mstevens> The mlock(3) man page on OpenBSD suggests that regular users can lock
> > mstevens> memory, but only up to a preset quota:
> >
> > mstevens> -cut--
> > mstevens> Since physical memory is a potentially scarce resource, processes are
> > mstevens> limited in how much they can lock down. A single process can mlock
> > mstevens> the minimum of a system-wide ``wired pages'' limit and the per-process
> > mstevens> RLIMIT_MEMLOCK resource limit.
> > mstevens> -cut--
> >
> > it would be nice for other os-s to support this so usage of setuid can
> > be avoided. does anyone know whether there is any work being done to
> > support this? (at least for linux?)
>
> FreeBSD has the identical text in the mlock(3) man page.

Unfortunately, one should read the next line :

[..]
Since physical memory is a potentially scarce resource, processes are
limited in how much they can lock down. A single process can mlock() the
minimum of a system-wide `wired pages'' limit and the per-process
RLIMIT_MEMLOCK resource limit.

These calls are only available to the super-user.

[...]
ERRORS
Mlock() will fail if:

[EPERM] The caller is not the super-user.
[..]
Re: Setting up gpg on an IRIX web server [ In reply to ]
lhecking at nmrc
Feb 4, 2000, 7:30 PM
Post #10 of 10 (2133 views)
Permalink
> > FreeBSD has the identical text in the mlock(3) man page.
>
> Unfortunately, one should read the next line :
>
> [..]
> Since physical memory is a potentially scarce resource, processes are
> limited in how much they can lock down. A single process can mlock() the
> minimum of a system-wide `wired pages'' limit and the per-process
> RLIMIT_MEMLOCK resource limit.
>
> These calls are only available to the super-user.
>
> [...]
> ERRORS
> Mlock() will fail if:
>
> [EPERM] The caller is not the super-user.
> [..]

NetBSD does not have this limitation. gpg works fine without suid.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal