Page 1 of 3
Noob trying to get gunpg working
Posted: Fri Sep 05, 2003 2:15 pm
by aladdinsane
Hi,
I am on a shared server and have a script that I am trying to make encrypt data and send me an encrypted e-mail.
Code: Select all
<?php
//build the message string
$msg = "Sender's Full Name:\t$sender_name\n";
$msg .= "Sender's E-Mail:\t$sender_email\n";
$msg .= "Secret Message?\t$secret_msg\n\n";
//set the environment variable for GNUPGHOME
putenv("GNUPGHOME=/home/friendsh/.gnupg");
//create vars to hold paths and filenames
$plainTxt = "/home/friendsh/public_html/dev/uncoded.txt";
$crypted = "/home/friendsh/public_html/dev/coded.txt";
//open file and dump in plaintext contents
$fp = fopen($plainTxt, "w+");
fputs($fp, $msg);
fclose($fp);
//invoke GNUPG to encrypt file contents
system("/usr/bin/gpg --encrypt -ao $crypted -r 'Keith Moon <keith@oops.co.uk>' $plainTxt");
//open file and read encrypted contents into var
$fd = fopen($crypted, "r");
$mail_cont = fread($fd, filesize($crypted));
fclose($fd);
//delete files!
unlink($plainTxt);
unlink($crypted);
// Build mail message and send it to target recipient.
$recipient = "keith@oops.co.uk";
$subject = "Secret Message";
$mailheaders = "From: My Web Site\n";
$mailheaders .= "Reply-To: $sender_email\n\n";
mail("$recipient", "$subject", $mail_cont, $mailheaders);
// Print confirmation to screen.
echo "
<H1 align=center>Thank You, $sender_name</h1>
<p align=center>Your secret message has been sent.</p>
";
?>
I am not getting any error messages but the encryption is not taking place at all.
By reomving the unlink I can view the files contents. I find that the uncoded.txt file contains the correct data but the coded.txt file is always empty.
I am a beginner on this so any help or ideas on getting the encryption to take place (simply expressed) would be great.
I think I may have a problem here -
putenv("GNUPGHOME=/home/friendsh/.gnupg");
Regards
Keith
Posted: Fri Sep 05, 2003 3:08 pm
by Stoker
A couple of things here, first of all you are breaking the rules, NEVER EVER write the data to be encrypted to disk!!! Using fixed name files is a bad idea in general, what happens if two threads are trying to do this at the same time?
first of all, what user does the script run as? if it runs as nobody it wont work out of the box.. There is a way to make it work as 'nobody' but it includes making the trustdb file writeable by the world, so iut is much better if you can do it as your own user, with a suexec or cgiwrapped script.. (Your private key should ofcourse not be on the server).
When you have that, you can do the encoding something like
Code: Select all
<?php
$plaintext = "Bla Bla here is the order bla \r\n $order_details \r\n paid by $creditcard_details \r\n and ship to $shipto \r\n";
$creditcard_details = ''; # Paranoid
$gpg = '/usr/bin/gpg';
$gpgopt = '--always-trust --batch --yes --no-options --no-secmem-warning'; # All of this may not be needed...
$user = 'bob';
$homedir = '/home/bob/.somewilddir'; # Its always good to be paranoid, don't use .gnupg
exec ('/bin/echo '.escapeshellarg($plaintext).' | '. $gpg '. -ear '.$user.' --homedir '.$homedir.' '.$gpgopt, $encoded);
$encoded = implode("\r",$encoded);
$plaintext = '';
mail ($orderecepient,'New Order', $encoded,'From: orders@myserver.com');
?>
Untested - may have some typos etc..
This keeps everything in memory so the only possible diskwrite is swap-mem which is a short time low risk..
Posted: Fri Sep 05, 2003 3:14 pm
by m3rajk
just a pointer: the fact it's encrypting something means it's not wrong. what's wrong is likely the understanding you have of how it works. in a situation like this i try ti figure out behaviour of the function, becausenormally i find that it's doing something i'm not expecting, and when i read the description again i find that i had the wrong impression ar first.
btw: the way you have that, and php's pre-parsing before execution makes me think what's happening is this:
youu're calling the gpg script with the wrong arguments
i say this becasue you have --encrypt and -ao. genteally you either have a -- string or - string.
the -o is a standard, what's -a do? is there a -e or something that's equivalent to --encrypt? if so, call it with -aeo instead of --encrypt -ao
Posted: Fri Sep 05, 2003 5:17 pm
by aladdinsane
Hi,
Thanks for your replies.
Regarding writing to disk. This is just while I am trying to get the encryption to work. I am the only one accessing it, I am trying to get it to work in as simple a manner as possible then I will rewrite it for maximum security. You could say this is an early version of a not yet finished script.
From what I can tell nothing is actually being encrypted. Both of those files already exist, albeit empty. The coded.txt file remains empty after the script has run.
How can I find out what user the script runs as? Can I find out myself I should I ask the host?
I changing the variables accordingly and tried to run your script Stoker but it returned a parse error in this line -
exec ('/bin/echo '.escapeshellarg($plaintext).' | '. $gpg '. -ear '.$user.' --homedir '.$homedir.' '.$gpgopt, $encoded);
Please forgive me for all the questions I am trying to learn.
Thanks again for your help
Keith
Edit: Also can I ask please Stoker where is your script getting the Public Key. I can't work this out. Sorry.
Posted: Fri Sep 05, 2003 8:27 pm
by m3rajk
no problem.
we love it when ppl learn. then they stick around and teach us when we run into issues they know about and we don't
the script that is being executed by php is run as php. but php is run by your webserver application, so if that's apache, then your sript is being executed by apache. if that's iis, then your running it as iis.
it might help to tell us the environment. the coommon shorts i've seen are WIMP and LAMP
the first letter is the first letter of your os, the second is your web server, the third is your database and the foruth is the dynamic language
Posted: Sat Sep 06, 2003 5:42 am
by aladdinsane
Hi,
My setup is LAMP - Linux, Apache, MySQL, PHP
What I don't know is if the script runs as the user nobody? And of course why the whole thing isn't working!
Many Thanks
Keith
Posted: Sat Sep 06, 2003 11:17 am
by Stoker
The parse error was a misplaced dot, instead of
. $gpg '. -ear '.
it should be
. $gpg .' -ear '.
but that wont help much if the script doesn't run like your own user, and most likely it does not, as 99% of the apache servers out there runs as a limited user (nobody, www-data or similar) and has mod_php installed so that all PHP scripts runs under the same process.
What you should do is make a CGI script for this instead, perhaps read your host documentation and see if there is any mention of SuExec or CGI-wrap, usually all it requires is a private directory (0700) with a private executable (0700) script or binary, as far as PHP goes, i fthe PHP-CGI binary is installed, your script will look exactly the same except the first line of the file points to the location of the PHP intepreter, something like
#!/usr/local/bin/php
Posted: Sat Sep 06, 2003 12:28 pm
by m3rajk
aladdinsane wrote:Hi,
My setup is LAMP - Linux, Apache, MySQL, PHP
What I don't know is if the script runs as the user nobody? And of course why the whole thing isn't working!
Many Thanks
Keith
most likely nobody or apache
an easy way to find out:
Code: Select all
<?php // simple mailing script to test php's user
if(isset($_GET['mail'])){ // sending mail
$to=$_GET['to']; // email address to send it to
mail($to, "testing php's user", 'this is a test'); // send the mail
} // mail is sent
echo '<html><head><title>testing mail</title></head><body>
<form action="$_SERVER[PHP_SELF]">
<input type="hidden" name="maili" value="1">
<input type="text" name="to">
<br /><input type="submit"></form></body></html>';
?>
run that. the e-mail will be sent by apache which will tell you the username
Posted: Sat Sep 06, 2003 1:31 pm
by aladdinsane
Hi,
The e-mail is sent from username@servername
With all of these posts I am getting a little confused!
Is this something I will be able to do with PHP or will I need to use a CGI script?
I amended your script Stoker but I the e-mail I receive is blank.
Cheers
Keith
Posted: Sat Sep 06, 2003 2:12 pm
by aladdinsane
Hi
Here is some info from
<?php phpinfo();?>
Server API - CGI
SERVER_SOFTWARE - Apache/1.3.28 (Unix) mod_jk2/2.0.0 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.0 FrontPage/5.0.2.2634 mod_ssl/2.8.15 OpenSSL/0.9.7a PHP-CGI/0.1b
Does this help anyone explain things?
Regards
Keith
Posted: Sun Sep 07, 2003 6:40 am
by aladdinsane
Hi,
I am aware of the security and writing to disk issues of my script. However can we go back to my original code and try to work out why it isn't working. I can't see anything in it that would stop it from performing the encryption. Could it be that gnupg is not set-up correctly on the server?
Could somebody do me a favour and test this code on there own server set-up. Changing the gnupg paths and public keys as appropriate.
Code: Select all
<?php
//build the message string
$msg = "Sender's Full Name:\t$sender_name\n";
$msg .= "Sender's E-Mail:\t$sender_email\n";
$msg .= "Secret Message?\t$secret_msg\n\n";
//set the environment variable for GNUPGHOME
putenv("GNUPGHOME=/home/friendsh/.gnupg");
//create vars to hold paths and filenames
$plainTxt = "/home/friendsh/public_html/dev/uncoded.txt";
$crypted = "/home/friendsh/public_html/dev/coded.txt";
//open file and dump in plaintext contents
$fp = fopen($plainTxt, "w+");
fputs($fp, $msg);
fclose($fp);
//invoke GNUPG to encrypt file contents
system("/usr/bin/gpg --encrypt -ao $crypted -r 'Keith Moon <keith@oops.co.uk>' $plainTxt");
//open file and read encrypted contents into var
$fd = fopen($crypted, "r");
$mail_cont = fread($fd, filesize($crypted));
fclose($fd);
//delete files!
unlink($plainTxt);
unlink($crypted);
// Build mail message and send it to target recipient.
$recipient = "keith@oops.co.uk";
$subject = "Secret Message";
$mailheaders = "From: My Web Site\n";
$mailheaders .= "Reply-To: $sender_email\n\n";
mail("$recipient", "$subject", $mail_cont, $mailheaders);
// Print confirmation to screen.
echo "
<H1 align=center>Thank You, $sender_name</h1>
<p align=center>Your secret message has been sent.</p>
";
?>
Many Thanks
Keith
Posted: Sun Sep 07, 2003 11:47 pm
by Stoker
As I wrote earlier, the issue is not the code, the issue is most likely the user. Make it a CGI script instead, as I mentioned, you can use the exact same PHP script, just add the #!/path/to/php at the top and set private executable permissions to containing directory and the file (Read your hosters documentation on how to use SuExec or CGI-wrap)..
Posted: Mon Sep 08, 2003 4:16 am
by aladdinsane
Hi,
Thanks for your reply. Which file extension should I use for the script .cgi or .php?
Cheers
Keith
Posted: Mon Sep 08, 2003 6:01 am
by aladdinsane
Hi,
Using CPanel I have set-up cgiwrap. It creates a scgi-bin directory. I have add the path to php at the top of the php script.
Looking at the CGI wrap documentation it says to access the script like this -
http://www.domain.com/cgi-bin/cgiwrap/u ... scriptname
however doing this gives a file not found. I tried -
http://www.domain.com/scgi-bin/cgiwrap/ ... scriptname and get the same error.
So I tried
http://www.domain.com/scgi-bin/scriptname and now the php script runs but yet again the e-mail is blank.
Any ideas?
Posted: Mon Sep 08, 2003 4:15 pm
by Stoker
You have to name it .cgi and then set the file permissions to 0700, meaning read-write-execute for owner and no permissions for group or other, you can do this thru the cpanel filemanager.
For now forget about the encryption, you need to make sure this script will run as your own user, just make the script work end try this in the script
foreach ($_ENV as $key =>$val) echo $key .' => '.htmlspecialchars($val)."<br>\n";
One of those will show what user the script runs as..