http://www.pgp.com/products/macintosh/
This applies to PGP 8.0 for Mac OS X 10.2.x; perhaps this issue will be resolved in future relases (I've brought it to the attention of PGP staff) but for the moment, you should verify this yourself.
The default installation of PGP 8.0 will make the following folder with the following properties to store your keychains (public and private):
drwxr-xr-x ~/Documents/PGP/
As you can see, this is terribly dangerous. Any FTP or shell account user who is improperly chroot()ed will have complete access to your private keychain, and can read or replace it at will.
To solve this issue:
Code:
[amras:~]% cd ~/Documents
[amras:~/Documents]% mv PGP ~/Library/
[amras:~/Documents]% cd ~/Library
[amras:~/Library]% chmod og-rx PGP
[amras:~/Library]% ls -la | grep PGP
drwx------ 5 amras staff 170 Mar 29 16:49 PGP
[amras:~/Library]% chmod og-rx PGP/*
[amras:~/Library]% ls -la PGP
-rw------- 1 amras staff 1306 Mar 29 16:52 PGP Private Keyring.skr
-rw------- 1 amras staff 1178 Mar 29 16:52 PGP Public Keyring.pkr
This will secure your keyring folder twofold: it will no logner be in the default location, and the folder and keyrings will be readable only by your user. Just remember to change your keyring folder in PGPkeys...
Of course the
most secure way to store your keychain is to move them to removeable media (like a flash drive or a CD-R), and keep the media in a safe.
