i'm trying to get gpg to encrypt text files with a PHP script, but i'm encountering errors about permissions ("unsafe ownership" errors). i believe that my --homedir (where the keyring is supposed to sit, right?) is incorrect. i also have no clue where the gpg key pairs generated by the cPanel sit, and this could very well be the location i need to use for the --homedir option.

another possible issue is that i don't have access to the keyring of the PHP user (in this case, nobody): "if you don't have access to the key ring of the PHP user, contact your system administrator" (from an article).

in any case, below is the script i'm trying to run, along with the error output it generates.

le script:
<?php
$gpg = '/usr/bin/gpg';
$recipient = 'yo@mama.com'; //already generated a key for this in cPanel
$secret_file = 'supersecret.txt';
$key_dir = '/nfs/home/X'; //let X=my username on lunarpages

$shellreturn = shell_exec("$gpg -e --homedir $key_dir --no-secmem-warning -r $recipient $secret_file 2>&1");
echo $shellreturn;
?>

le error:
gpg: WARNING: unsafe ownership on homedir "/nfs/home/X"
gpg: error creating keyring `/nfs/home/X/secring.gpg': Permission denied
gpg: keyblock resource `/nfs/home/X/secring.gpg': file open error gpg: error creating keyring `/nfs/home/X/pubring.gpg': Permission denied
gpg: keyblock resource `/nfs/home/X/pubring.gpg': file open error gpg: yo@mama.com: skipped: public key not found
gpg: supersecret.txt: encryption failed: public key not found

it worries me that i have to run gpg with the --no-secmem-warning option to avoid an error message, but should it worry me?

thx for reading
 

just to let anyone else with the same problem know: i've managed a work-around for this problem. it's along the same lines as what modsiw suggested:

1) the correct --homedir option is to the directory /nfs/home/<lunarpages login>/.gnupg
2) PHP scripts run as user "nobody"
3) you can't change directory ownership yourself (no chown access through FTP); ideally, i would change the ownership on my homedir to the user nobody w/ permissions 755 (as suggested)
4) i'm to understand that gpg is lacking "full" security unless the memory pages it uses for temporary files is locked; this amounts to gpg having to run as setuid root, which, AFAIK, it does not on lunarpages servers

i'll determine if gpg is running setuid root and post back about that, just for the sake of being pedagogical.

thx for the reply, modsiw.
 

Setuid root is necessary for gpg to be able to lock memory pages.  This prevents the OS from writing the pages to disk, which would be bad for unencrypted, but soon to be encrypted, data.