Hi There,
For security purposes we disable paths and functions, is there a way we can enable the pgp binary if we move it to the enigma home directory?
Class 'enigma_driver_gpg' not found in .... is the error we keep getting. after changing lib/Crypt/GPG/Engine.php tp look in its home by use of full path to be allowed to bypass our restriction with openbasedirs which naturally does not permit access to system binary directories.
We have also disable_functions = exec, shell_exec, system, virtual, show_source, passthru, escapeshellcmd, proc_open, popen, pclose, phpinfo, parse_ini_file, eval
I was sure there was a way to tell apache to use php admin value to allow things but cant find references to my problem (which may not even be the actual problem? ) I am only guessing.
We do not want to remove the above restrictions in case one day a zero day is found and can be exploited, I am not permitted to relax.
Nik
On 07/20/2016 09:40 AM, Nick Edwards wrote:
For security purposes we disable paths and functions, is there a way we can enable the pgp binary if we move it to the enigma home directory?
You can already set path to gpg binary via enigma_pgp_binary option. However, for GnuPG 2.x you'll need to set also gpg-agent path which is not yet supported by config option. You'd need to set $options['agent'] around https://github.com/roundcube/roundcubemail/blob/master/plugins/enigma/lib/en...
We have also disable_functions = exec, shell_exec, system, virtual, show_source, passthru, escapeshellcmd, proc_open, popen, pclose, phpinfo, parse_ini_file, eval
Crypt_GPG uses proc_open().
Hi Alec,
// Enigma Plugin options // --------------------
// A driver to use for PGP. Default: "gnupg". $rcmail_config['enigma_pgp_driver'] = 'gnupg';
// A driver to use for S/MIME. Default: "phpssl". $rcmail_config['enigma_smime_driver'] = 'phpssl';
// Keys directory for all users. Default 'enigma/home'. // Must be writeable by PHP process $rcmail_config['enigma_pgp_homedir'] = null;
$rcmail_config['enigma_pgp_binary'] = '/opt/webmail/plugins/enigma/gpg';
^^^^^^^ This doesn't seem to change anything?
[Thu Jul 21 13:44:54.060378 2016] [:error] [pid 6431:tid 2843577200] [client ] PHP Warning: is_executable(): open_basedir restriction in effect. File(/usr/bin/gpg) is not within the allowed path(s): ( bunch of paths) in /opt/webmail/plugins/enigma/lib/Crypt/GPG/Engine.php on line 1651, referer: https://xxxxxxxxxxxx/?_task=settings&_action=plugin.enigmakeys
repeat this with attempt at /usr/local/bin/gpg
then
[Thu Jul 21 13:44:54.093373 2016] [:error] [pid 6431:tid 2843577200] [client ] PHP Fatal error: Call to undefined method Crypt_GPG_SubKey::usage() in /opt/webmail/plugins/enigma/lib/enigma_driver_gnupg.php on line 437, referer: https://xxxxxxxxxxxxxx/?_task=settings&_action=plugin.enigmakeys
we are using gnupg 1.4.x
On Wed, Jul 20, 2016 at 5:52 PM, A.L.E.C alec@alec.pl wrote:
On 07/20/2016 09:40 AM, Nick Edwards wrote:
For security purposes we disable paths and functions, is there a way we can enable the pgp binary if we move it to the enigma home directory?
You can already set path to gpg binary via enigma_pgp_binary option. However, for GnuPG 2.x you'll need to set also gpg-agent path which is not yet supported by config option. You'd need to set $options['agent'] around
https://github.com/roundcube/roundcubemail/blob/master/plugins/enigma/lib/en...
We have also disable_functions = exec, shell_exec, system, virtual, show_source, passthru, escapeshellcmd, proc_open, popen, pclose, phpinfo, parse_ini_file, eval
Crypt_GPG uses proc_open().
-- Aleksander 'A.L.E.C' Machniak Kolab Groupware Developer [http://kolab.org] Roundcube Webmail Developer [http://roundcube.net]
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl _______________________________________________ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
After sorting out proc_open but changing to suhosin blacklist instead native php disable, things progressed, however just wiped out the config and used fresh, with and without $rcmail_config or $config... I clearly have wrong option idea for the path to it as roundcube error now says binary not found, is $config['enigma_pgp_binary'] = 'path/file'; actually the right entry to use?
On Thu, Jul 21, 2016 at 1:52 PM, Nick Edwards nick.z.edwards@gmail.com wrote:
Hi Alec,
// Enigma Plugin options // --------------------
// A driver to use for PGP. Default: "gnupg". $rcmail_config['enigma_pgp_driver'] = 'gnupg';
// A driver to use for S/MIME. Default: "phpssl". $rcmail_config['enigma_smime_driver'] = 'phpssl';
// Keys directory for all users. Default 'enigma/home'. // Must be writeable by PHP process $rcmail_config['enigma_pgp_homedir'] = null;
$rcmail_config['enigma_pgp_binary'] = '/opt/webmail/plugins/enigma/gpg';
^^^^^^^ This doesn't seem to change anything?
[Thu Jul 21 13:44:54.060378 2016] [:error] [pid 6431:tid 2843577200] [client ] PHP Warning: is_executable(): open_basedir restriction in effect. File(/usr/bin/gpg) is not within the allowed path(s): ( bunch of paths) in /opt/webmail/plugins/enigma/lib/Crypt/GPG/Engine.php on line 1651, referer: https://xxxxxxxxxxxx/?_task=settings&_action=plugin.enigmakeys
repeat this with attempt at /usr/local/bin/gpg
then
[Thu Jul 21 13:44:54.093373 2016] [:error] [pid 6431:tid 2843577200] [client ] PHP Fatal error: Call to undefined method Crypt_GPG_SubKey::usage() in /opt/webmail/plugins/enigma/lib/enigma_driver_gnupg.php on line 437, referer: https://xxxxxxxxxxxxxx/?_task=settings&_action=plugin.enigmakeys
we are using gnupg 1.4.x
On Wed, Jul 20, 2016 at 5:52 PM, A.L.E.C alec@alec.pl wrote:
On 07/20/2016 09:40 AM, Nick Edwards wrote:
For security purposes we disable paths and functions, is there a way we can enable the pgp binary if we move it to the enigma home directory?
You can already set path to gpg binary via enigma_pgp_binary option. However, for GnuPG 2.x you'll need to set also gpg-agent path which is not yet supported by config option. You'd need to set $options['agent'] around
https://github.com/roundcube/roundcubemail/blob/master/plugins/enigma/lib/en...
We have also disable_functions = exec, shell_exec, system, virtual, show_source, passthru, escapeshellcmd, proc_open, popen, pclose, phpinfo, parse_ini_file, eval
Crypt_GPG uses proc_open().
-- Aleksander 'A.L.E.C' Machniak Kolab Groupware Developer [http://kolab.org] Roundcube Webmail Developer [http://roundcube.net]
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl _______________________________________________ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
On 07/21/2016 07:02 AM, Nick Edwards wrote:
After sorting out proc_open but changing to suhosin blacklist instead native php disable, things progressed, however just wiped out the config and used fresh, with and without $rcmail_config or $config... I clearly have wrong option idea for the path to it as roundcube error now says binary not found, is $config['enigma_pgp_binary'] = 'path/file'; actually the right entry to use?
Yes, are you using git-master version? The option does not exist in 1.2.0.
[Thu Jul 21 13:44:54.093373 2016] [:error] [pid 6431:tid 2843577200] [client ] PHP Fatal error: Call to undefined method Crypt_GPG_SubKey::usage() in
You need more recent Crypt_GPG package.
ARG, no this is production servers so of course 'm only running stable release 1.2.0
I think we'll downgrade to 1.1.x again, since several of our plugins dont work with 1.2, and enigma clearly isnt going to work with our security restrictions, might try again when 1.2.1 or whatever is released. Thanks
On Thu, Jul 21, 2016 at 3:58 PM, A.L.E.C alec@alec.pl wrote:
On 07/21/2016 07:02 AM, Nick Edwards wrote:
After sorting out proc_open but changing to suhosin blacklist instead native php disable, things progressed, however just wiped out the config and used fresh, with and without $rcmail_config or $config... I clearly have wrong option idea for the path to it as roundcube error now says binary not found, is $config['enigma_pgp_binary'] = 'path/file'; actually the right entry to
use?
Yes, are you using git-master version? The option does not exist in 1.2.0.
[Thu Jul 21 13:44:54.093373 2016] [:error] [pid 6431:tid 2843577200] [client ] PHP Fatal error: Call to undefined method Crypt_GPG_SubKey::usage() in
You need more recent Crypt_GPG package.
-- Aleksander 'A.L.E.C' Machniak Kolab Groupware Developer [http://kolab.org] Roundcube Webmail Developer [http://roundcube.net]
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl _______________________________________________ Roundcube Users mailing list users@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/users
Il 2016-07-21 05:52 Nick Edwards ha scritto: [...]
[Thu Jul 21 13:44:54.093373 2016] [:error] [pid 6431:tid 2843577200] [client ] PHP Fatal error: Call to undefined method Crypt_GPG_SubKey::usage() in /opt/webmail/plugins/enigma/lib/enigma_driver_gnupg.php on line 437, referer: https://xxxxxxxxxxxxxx/?_task=settings&_action=plugin.enigmakeys
I got the exact same error a few days ago. It appears that roundcube resets the php's "default include_path" variable, so installing Crypt_GPG via Pear in the php/lib dir doesn't help. Manually downlading the library in the enigma/lib dir solved for me. I also dropped a note about this and enigma's configuration here http://notes.sagredo.eu/node/35#enigma
regards Roberto
Hello,
I am getting following error in browser console when sending an encrypted message.
==============================
ReferenceError: PublicKey is not defined rcube_webmail/this.mailvelope_search_pubkeys() app.min.js:161 rcube_webmail.prototype.enigma_find_publickey() enigma.js:547 rcube_webmail.prototype.enigma_key_not_found/<.click() enigma.js:537 ._createButtons/</a.click() jquery-ui-1.10.4.custom.min.js:37 n.event.dispatch() jquery.min.js:35 n.event.add/r.handle() jquery.min.js:35
==================================
enigma debug log
==================
[22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: USING GPG 2.0.22 with PHP 5.4.16 [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: OPENING GPG-AGENT SUBPROCESS WITH THE FOLLOWING COMMAND: [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: /usr/bin/gpg-agent --daemon --options /dev/null --csh --keep-display --no-grab --ignore-cache-for-signing --pinentry-touch-file /dev/null --disable-scdaemon --no-use-standard-socket --pinentry-program '/var/www/html/plugins/enigma/lib/Crypt_GPG-1.4.2/Crypt/GPG/../../scripts/crypt-gpg-pinentry' --homedir '/var/www/enigma/home/soumitri' [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: CLOSING GPG-AGENT LAUNCH PROCESS [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: GPG-AGENT LAUNCH PROCESS CLOSED [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: OPENING GPG SUBPROCESS WITH THE FOLLOWING COMMAND: [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: /usr/bin/gpg --status-fd '3' --command-fd '4' --no-secmem-warning --no-tty --no-default-keyring --no-options --no-permission-warning --exit-on-status-write-error --trust-model always --with-colons --with-fingerprint --with-fingerprint --fixed-list-mode --homedir '/var/www/enigma/home/soumitri' --list-public-keys 'soumitri@iitk.ac.in' [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: BEGIN PROCESSING [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: selecting streams [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: => got 3 [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: GPG output stream ready for reading [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: => about to read 65536 bytes from GPG output [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: => read 658 bytes [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: GPG error stream ready for reading [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: => about to read 65536 bytes from GPG error [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: => read 0 bytes [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: GPG status stream ready for reading [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: => about to read 65536 bytes from GPG status [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: => read 0 bytes [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: selecting streams [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: => got 1 [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: GPG output stream ready for reading [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: => about to read 65536 bytes from GPG output [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: => read 0 bytes [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: END PROCESSING [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: CLOSING GPG SUBPROCESS [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: STOPPING GPG-AGENT DAEMON [22-Jul-2016 11:56:01 +0530]: <1sd24gpn> GPG: GPG-AGENT DAEMON STOPPED
===========================
OS: centos7.2, RC version: 1.2.0
I am not getting any other error in error log.
Thanks for any suggestion.
Regards,
Soumitri Mishra,
On Thursday 21 July 2016 07:01 PM, Roberto Puzzanghera wrote:
I got the exact same error a few days ago. It appears that roundcube resets the php's "default include_path" variable, so installing Crypt_GPG via Pear in the php/lib dir doesn't help. Manually downlading the library in the enigma/lib dir solved for me. I also dropped a note about this and enigma's configuration here http://notes.sagredo.eu/node/35#enigma
On 07/22/2016 08:32 AM, soumitri@iitk.ac.in wrote:
ReferenceError: PublicKey is not defined
PublicKey is defined in publickey.js
OS: centos7.2, RC version: 1.2.0
No, you don't. Key server support was added in master only. I assume you applied some commits from master to 1.2.0, which require some other changes you missed.