Debian Bug report logs - #860903
Current setup causes breakage when trying to use apt with pkcs11

version graph

Package: libp11-kit0; Maintainer for libp11-kit0 is Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>; Source for libp11-kit0 is src:p11-kit (PTS, buildd, popcon).

Reported by: Marga Manterola <marga@google.com>

Date: Fri, 21 Apr 2017 14:51:01 UTC

Severity: important

Found in version p11-kit/0.23.3-2

Fixed in version p11-kit/0.23.7-2

Done: Andreas Metzler <ametzler@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://lists.freedesktop.org/archives/p11-glue/2017-April/000656.html

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#860903; Package libp11-kit0. (Fri, 21 Apr 2017 14:51:04 GMT) (full text, mbox, link).


Acknowledgement sent to Marga Manterola <marga@google.com>:
New Bug report received and forwarded. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Fri, 21 Apr 2017 14:51:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Marga Manterola <marga@google.com>
To: "submit@bugs.debian.org" <submit@bugs.debian.org>
Subject: Current setup causes breakage when trying to use apt with pkcs11
Date: Fri, 21 Apr 2017 14:48:44 +0000
[Message part 1 (text/plain, inline)]
Package: libp11-kit0
Version: 0.23.3-2
Severity: important

In my setup I have opencryptoki installed (because it's a dependency of
tpm-tools, not because I actually need opencryptoki).  This means that the
/etc/pkcs11 directory looks like this:

$ ls -ld /etc/pkcs11 /etc/pkcs11/
lrwxrwxrwx 1 root root     21 Jan  3 14:14 /etc/pkcs11 ->
/var/lib/opencryptoki
drwxrwx--- 8 root pkcs11 4096 Apr 21 10:33 /etc/pkcs11/

I also have an apt configuration that is pointing apt to use a pkcs11
provider.

When doing the actual https run, apt runs with the user "_apt" and group
"nogroup". This means that apt has no permission to access the /etc/pkcs11
directory as shipped by opencryptoki.

So, this happens:
p11-kit: couldn't open config file: /etc/pkcs11/pkcs11.conf: Permission
denied

The workaround is to change the permissions of the directory to add world
execution:
sudo chmod o+x /etc/pkcs11

While this is ok as a workaround, it seems rather silly that libp11-kit
works fine when the file doesn't exist (there's no pkcs11.conf inside
/etc/pkcs11), but not when it can't access it.  This is rooted in this line:

http://sources.debian.net/src/p11-kit/0.23.3-2/p11-kit/conf.c/?hl=201#L220
config = _p11_conf_parse_file (system_conf, NULL, CONF_IGNORE_MISSING);

Making this change would fix the issue:
config = _p11_conf_parse_file (system_conf, NULL, CONF_IGNORE_MISSING |
CONF_IGNORE_ACCESS_DENIED);

-- 
Cheers,
Marga
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#860903; Package libp11-kit0. (Fri, 21 Apr 2017 17:12:12 GMT) (full text, mbox, link).


Acknowledgement sent to Andreas Metzler <ametzler@bebt.de>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Fri, 21 Apr 2017 17:12:12 GMT) (full text, mbox, link).


Message #10 received at 860903@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@bebt.de>
To: Marga Manterola <marga@google.com>, 860903@bugs.debian.org
Subject: Re: Bug#860903: Current setup causes breakage when trying to use apt with pkcs11
Date: Fri, 21 Apr 2017 19:10:48 +0200
On 2017-04-21 Marga Manterola <marga@google.com> wrote:
> Package: libp11-kit0
> Version: 0.23.3-2
> Severity: important

> In my setup I have opencryptoki installed (because it's a dependency of
> tpm-tools, not because I actually need opencryptoki).  This means that the
> /etc/pkcs11 directory looks like this:

> $ ls -ld /etc/pkcs11 /etc/pkcs11/
> lrwxrwxrwx 1 root root     21 Jan  3 14:14 /etc/pkcs11 ->
> /var/lib/opencryptoki
> drwxrwx--- 8 root pkcs11 4096 Apr 21 10:33 /etc/pkcs11/
[...]

Hello,

Isn't this where the actual breakage is located? Afaik /etc should
contain configuration files, not symlinks to unreadable empty
directories. O are there special mitigating circumstances?

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'



Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#860903; Package libp11-kit0. (Fri, 21 Apr 2017 17:33:05 GMT) (full text, mbox, link).


Acknowledgement sent to Marga Manterola <marga@google.com>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Fri, 21 Apr 2017 17:33:05 GMT) (full text, mbox, link).


Message #15 received at 860903@bugs.debian.org (full text, mbox, reply):

From: Marga Manterola <marga@google.com>
To: Andreas Metzler <ametzler@bebt.de>, 860903@bugs.debian.org
Subject: Re: Bug#860903: Current setup causes breakage when trying to use apt with pkcs11
Date: Fri, 21 Apr 2017 17:28:06 +0000
[Message part 1 (text/plain, inline)]
Hi,

On Fri, Apr 21, 2017 at 7:10 PM Andreas Metzler <ametzler@bebt.de> wrote:

> > In my setup I have opencryptoki installed (because it's a dependency of
> > tpm-tools, not because I actually need opencryptoki).  This means that
> the
> > /etc/pkcs11 directory looks like this:
>
> > $ ls -ld /etc/pkcs11 /etc/pkcs11/
> > lrwxrwxrwx 1 root root     21 Jan  3 14:14 /etc/pkcs11 ->
> > /var/lib/opencryptoki
> > drwxrwx--- 8 root pkcs11 4096 Apr 21 10:33 /etc/pkcs11/
> [...]
>


> Isn't this where the actual breakage is located? Afaik /etc should
> contain configuration files, not symlinks to unreadable empty
> directories. O are there special mitigating circumstances?
>

This is how the opencryptoki package is shipped:
http://sources.debian.net/src/opencryptoki/2.3.1%2Bdfsg-3/usr/lib/pkcs11/api/Makefile.am/?hl=47#L47

To be honest, I'm not sure if this is breaking policy or not.
https://www.debian.org/doc/debian-policy/ch-files.html#s-config-files seems
to say that symlinking is not ideal but possible.  Doesn't talk about the
permissions. It *is* possible to have files in /etc/ that are not world
readable

Regardless of this, I see no reason why p11-kit should be ok with the file
not existing but not ok with it not being readable by the current process.

-- 
Cheers,
Marga
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#860903; Package libp11-kit0. (Fri, 21 Apr 2017 17:39:05 GMT) (full text, mbox, link).


Acknowledgement sent to Andreas Metzler <ametzler@bebt.de>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Fri, 21 Apr 2017 17:39:05 GMT) (full text, mbox, link).


Message #20 received at 860903@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@bebt.de>
To: Marga Manterola <marga@google.com>
Cc: 860903@bugs.debian.org
Subject: Re: Bug#860903: Current setup causes breakage when trying to use apt with pkcs11
Date: Fri, 21 Apr 2017 19:36:45 +0200
On 2017-04-21 Marga Manterola <marga@google.com> wrote:
> On Fri, Apr 21, 2017 at 7:10 PM Andreas Metzler <ametzler@bebt.de> wrote:
[...]
>>> /etc/pkcs11 directory looks like this:

>>> $ ls -ld /etc/pkcs11 /etc/pkcs11/
>>> lrwxrwxrwx 1 root root     21 Jan  3 14:14 /etc/pkcs11 ->
>>> /var/lib/opencryptoki
>>> drwxrwx--- 8 root pkcs11 4096 Apr 21 10:33 /etc/pkcs11/
[...]



>> Isn't this where the actual breakage is located? Afaik /etc should
>> contain configuration files, not symlinks to unreadable empty
>> directories. O are there special mitigating circumstances?

> This is how the opencryptoki package is shipped:
> http://sources.debian.net/src/opencryptoki/2.3.1%2Bdfsg-3/usr/lib/pkcs11/api/Makefile.am/?hl=47#L47

I know, I doublechecked, I was wondering about your opinion. ;-)

> To be honest, I'm not sure if this is breaking policy or not.
> https://www.debian.org/doc/debian-policy/ch-files.html#s-config-files seems
> to say that symlinking is not ideal but possible.  Doesn't talk about the
> permissions. It *is* possible to have files in /etc/ that are not world
> readable

Policy allows symlinks pointing *to* files in /etc as workaround, not
the other way round.

> Regardless of this, I see no reason why p11-kit should be ok with the file
> not existing but not ok with it not being readable by the current process.

I will forward upstream.

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'



Set Bug forwarded-to-address to 'https://lists.freedesktop.org/archives/p11-glue/2017-April/000656.html'. Request was from Andreas Metzler <ametzler@debian.org> to control@bugs.debian.org. (Sat, 17 Jun 2017 12:57:03 GMT) (full text, mbox, link).


Reply sent to Andreas Metzler <ametzler@debian.org>:
You have taken responsibility. (Sat, 01 Jul 2017 12:54:11 GMT) (full text, mbox, link).


Notification sent to Marga Manterola <marga@google.com>:
Bug acknowledged by developer. (Sat, 01 Jul 2017 12:54:11 GMT) (full text, mbox, link).


Message #27 received at 860903-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@debian.org>
To: 860903-close@bugs.debian.org
Subject: Bug#860903: fixed in p11-kit 0.23.7-2
Date: Sat, 01 Jul 2017 12:52:06 +0000
Source: p11-kit
Source-Version: 0.23.7-2

We believe that the bug you reported is fixed in the latest version of
p11-kit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 860903@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated p11-kit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 01 Jul 2017 13:40:07 +0200
Source: p11-kit
Binary: libp11-kit-dev libp11-kit0 p11-kit p11-kit-modules
Architecture: source
Version: 0.23.7-2
Distribution: unstable
Urgency: low
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Closes: 860903
Description: 
 libp11-kit0 - library for loading and coordinating access to PKCS#11 modules -
 libp11-kit-dev - library for loading and coordinating access to PKCS#11 modules -
 p11-kit-modules - p11-glue proxy and trust modules
 p11-kit    - p11-glue utilities
Changes:
 p11-kit (0.23.7-2) unstable; urgency=low
 .
   * libp11-kit0: Add Breaks: opencryptoki (<= 3.6.1+dfsg-1) to enforce upgrade
     of opencryptoki to a version without /etc/pkcs11 symlink to private
     directory. Closes: #860903
   * p11-kit-extract-trust was renamed to trust-extract-compat in 0.19.4, fix
     debian/p11-kit.examples.
   * Upload to unstable.
Checksums-Sha1: 
 064892bd5fd21678099234a1af17e055a912fb37 2452 p11-kit_0.23.7-2.dsc
 b88a1eceb42715ea609affcd5e3bee68dadd70b9 20900 p11-kit_0.23.7-2.debian.tar.xz
Checksums-Sha256: 
 4e6f3d78be14193cfd88004ce4285fa78d610a42ded7cda253a0508b44b2087a 2452 p11-kit_0.23.7-2.dsc
 d6339f2c62a4edbd0b002a6f1accebfa975da62e279c61c77ecbaa477995663a 20900 p11-kit_0.23.7-2.debian.tar.xz
Files: 
 21d25b1cc23171f73901458c6ab6f46d 2452 libs extra p11-kit_0.23.7-2.dsc
 c5c8de87916572764224db77fdf4d109 20900 libs extra p11-kit_0.23.7-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAllXlJ8ACgkQpU8BhUOC
FIR29xAAiyUq3MyPcYNw49osxJaIvQ6FfSk1qTYxChyJwzEwCBzn/9F97EeTgAyM
2PgFaP/AU7eTVe3bQbhQ3bpaTYJbRUAKWXH89pEeVvYyjGFFtnNpNObkjePlo63i
1ckhfy10Agz2bUFOzEEwbK0L4oy1+7FUsD7XE0FZRcWv0Uav33Ik1WwJISChEfo6
dIIpQFhJIYxuLYw8fIiDPQSg690RmFB3ndm67OE6z/BM+s/1EvizBSYeaDe7XJQr
CrYflaFHSU/hLjuOGJdPR7qfeUXphsbNnCD4boyh0gUHbYh6CtKY5CaBSypWi/Fy
gUsNH/a00c4TOo9O2rtv9pZolxqCsQeMLSsnsHvGEonrd5qhooWIsVLD6Jk0QjYE
eJVaHgCmlIjPyXAh6YxIv92yNrpxffkfa7Ze95/TOCB58WssPA/2ZqxEKvX/+YU+
g5McWQvwWyy7N3OXfQdGDrPWUGwkYFsNmYTsCakG5GQyvkNE6tfuzxlfXg/6xScG
DT1A5aDzBpqpttEKreCgQmqOAIsoAEeiJVSz7Jw4JzpALZyGnDqqZV17UpFzn1J5
4YAhonLOHK/l7aQqAyCiqCa8i67+msCrOSzuSm0vWQSP7QKjS/DIK1GWuJbuevKF
LB/C9uKrmKI1egvqOj9mzpr82/8BpbqRNd8UQYAo0dr137q5wbY=
=2Rx8
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 05 Jun 2019 07:28:31 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Sep 2 15:27:09 2025; Machine Name: berlioz

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.