phreek Posted August 1, 2008 Share Posted August 1, 2008 Hello everyone. I have a site on a shared host which needs to send encrypted emails. I've seen this same question asked here and other places on the web but either they were unanswered or the solution provided is'nt working for me. <?php $messege = "Some Super Seceret Messege"; $gpg = '/usr/bin/gpg'; $recipient = 'email@domain.com'; $key_dir = '/home/username/.gnupg'; // putenv("GNUPGHOME=/home/username/.gnupg"); $tmp = "echo $messege | $gpg -e -r $recipient"; echo $tmp; $tmp2 = shell_exec($tmp); echo $tmp2; $output = base64_encode($tmp2); echo "<pre>$output</pre>"; ?> When i run this script $tmp displays on the screen and that is it. at first i took the echoed $tmp and used it command line wich worked but told me the key was not ultimately trusted and asked if i want to trust it. When i hit Y i'd get encrypted garbage on the telnet window( I'm assuming that means it worked) I set the trust for this key to ultimate trust and tried again. Running the php script nets the same results only $tmp displays on the screen. Now when i run it command line i get this message "It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes" again clicking yes displays encrypted garbage on screen. IT appears to be working but getting hung up on the command prompt waiting on a response. I have not found anything telling me what i can do to either ignore this uncertain key message or prevent it and any implications that would have on security. Any help will be greatly appreciated. Quote Link to comment Share on other sites More sharing options...
zq29 Posted August 3, 2008 Share Posted August 3, 2008 Do you have PHP running in safe mode? shell_exec() is disabled when safe mode is on. Also, to surpress the trust message, you could use the --trust-model always option in pgp, though you might want to emply some form of external validation... Quote Link to comment Share on other sites More sharing options...
phreek Posted August 4, 2008 Author Share Posted August 4, 2008 Safe mode is off. I just checked to verify. I'm not sure what exactly you mean about external validation in this situation, but here is a little run down on whats going to happen once this is working. I have a form mailer that is going to receive personal identification information. Nothing top secrete but nothing I'd like to see sent out with plain text. Once it is fully functional users will fill out a secure form and the results of that form will get mailed to the appropriate person. Thanks for your help. I'm going to go try out --trust-model always and see what I get. Quote Link to comment Share on other sites More sharing options...
phreek Posted August 4, 2008 Author Share Posted August 4, 2008 Well the message i was getting must not have been the problem ( at least not the whole problem). --trust-model always did get rid of the message via command line. yet the script is still coming up blank after echoing $tmp. Just to test this out I started using system($command, $results) and a input and output file that get deleted after the encryption. Which again works via command line but when i run the script through the web server $ results is = 2 and I've got no output file. I've been searching for what the value 2 indicates but so far I'm coming up blank on that. Thanks again Quote Link to comment Share on other sites More sharing options...
zq29 Posted August 4, 2008 Share Posted August 4, 2008 Does the user that runs Apache also have access to pgp? Quote Link to comment Share on other sites More sharing options...
phreek Posted August 4, 2008 Author Share Posted August 4, 2008 I was off doing something else for a moment so I just got back to this. It is really starting to seem like it is some kind of permissions problem. I'm just not use to having Root access and doing all this myself yet. so I've been looking around to see what I need to do to find out what user apache is running as and what permissions it has for the script. soo soon as I figure that out i'll let ya know. thanks. Quote Link to comment Share on other sites More sharing options...
phreek Posted August 4, 2008 Author Share Posted August 4, 2008 before I came here and started this post I logged into the server as root and displayed the script with permissions. It is currently listed as executable by "other" and its owner and group are both root. I "assumed" that the executable in other would be applicable for user "nobody" which is what apache is running as. To play around with this some more. I switched from system_exec() to using system($command, $returnvalue) as mentioned earlier. I can list directories and display text files out of the tmp directory but even a simple /usr/bin/gpg command fails. when ran on command line I get line from gpg informing me its ready for me to start entering text. so I assumed if permissions were correct I'd get that displayed to the browser window instead it fails and $returnvalue is set to 2. Is there something else besides setting gpg executable by "other" that needs to be done before apache can run this? Thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.