Acknowledgement sent
to Marga Manterola <marga@google.com>:
New Bug report received and forwarded. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>.
(Fri, 21 Apr 2017 14:51:04 GMT) (full text, mbox, link).
Package: libp11-kit0
Version: 0.23.3-2
Severity: important
In my setup I have opencryptoki installed (because it's a dependency of
tpm-tools, not because I actually need opencryptoki). This means that the
/etc/pkcs11 directory looks like this:
$ ls -ld /etc/pkcs11 /etc/pkcs11/
lrwxrwxrwx 1 root root 21 Jan 3 14:14 /etc/pkcs11 ->
/var/lib/opencryptoki
drwxrwx--- 8 root pkcs11 4096 Apr 21 10:33 /etc/pkcs11/
I also have an apt configuration that is pointing apt to use a pkcs11
provider.
When doing the actual https run, apt runs with the user "_apt" and group
"nogroup". This means that apt has no permission to access the /etc/pkcs11
directory as shipped by opencryptoki.
So, this happens:
p11-kit: couldn't open config file: /etc/pkcs11/pkcs11.conf: Permission
denied
The workaround is to change the permissions of the directory to add world
execution:
sudo chmod o+x /etc/pkcs11
While this is ok as a workaround, it seems rather silly that libp11-kit
works fine when the file doesn't exist (there's no pkcs11.conf inside
/etc/pkcs11), but not when it can't access it. This is rooted in this line:
http://sources.debian.net/src/p11-kit/0.23.3-2/p11-kit/conf.c/?hl=201#L220
config = _p11_conf_parse_file (system_conf, NULL, CONF_IGNORE_MISSING);
Making this change would fix the issue:
config = _p11_conf_parse_file (system_conf, NULL, CONF_IGNORE_MISSING |
CONF_IGNORE_ACCESS_DENIED);
--
Cheers,
Marga
Acknowledgement sent
to Andreas Metzler <ametzler@bebt.de>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>.
(Fri, 21 Apr 2017 17:12:12 GMT) (full text, mbox, link).
To: Marga Manterola <marga@google.com>, 860903@bugs.debian.org
Subject: Re: Bug#860903: Current setup causes breakage when trying to use apt
with pkcs11
Date: Fri, 21 Apr 2017 19:10:48 +0200
On 2017-04-21 Marga Manterola <marga@google.com> wrote:
> Package: libp11-kit0
> Version: 0.23.3-2
> Severity: important
> In my setup I have opencryptoki installed (because it's a dependency of
> tpm-tools, not because I actually need opencryptoki). This means that the
> /etc/pkcs11 directory looks like this:
> $ ls -ld /etc/pkcs11 /etc/pkcs11/
> lrwxrwxrwx 1 root root 21 Jan 3 14:14 /etc/pkcs11 ->
> /var/lib/opencryptoki
> drwxrwx--- 8 root pkcs11 4096 Apr 21 10:33 /etc/pkcs11/
[...]
Hello,
Isn't this where the actual breakage is located? Afaik /etc should
contain configuration files, not symlinks to unreadable empty
directories. O are there special mitigating circumstances?
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
Acknowledgement sent
to Marga Manterola <marga@google.com>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>.
(Fri, 21 Apr 2017 17:33:05 GMT) (full text, mbox, link).
Hi,
On Fri, Apr 21, 2017 at 7:10 PM Andreas Metzler <ametzler@bebt.de> wrote:
> > In my setup I have opencryptoki installed (because it's a dependency of
> > tpm-tools, not because I actually need opencryptoki). This means that
> the
> > /etc/pkcs11 directory looks like this:
>
> > $ ls -ld /etc/pkcs11 /etc/pkcs11/
> > lrwxrwxrwx 1 root root 21 Jan 3 14:14 /etc/pkcs11 ->
> > /var/lib/opencryptoki
> > drwxrwx--- 8 root pkcs11 4096 Apr 21 10:33 /etc/pkcs11/
> [...]
>
> Isn't this where the actual breakage is located? Afaik /etc should
> contain configuration files, not symlinks to unreadable empty
> directories. O are there special mitigating circumstances?
>
This is how the opencryptoki package is shipped:
http://sources.debian.net/src/opencryptoki/2.3.1%2Bdfsg-3/usr/lib/pkcs11/api/Makefile.am/?hl=47#L47
To be honest, I'm not sure if this is breaking policy or not.
https://www.debian.org/doc/debian-policy/ch-files.html#s-config-files seems
to say that symlinking is not ideal but possible. Doesn't talk about the
permissions. It *is* possible to have files in /etc/ that are not world
readable
Regardless of this, I see no reason why p11-kit should be ok with the file
not existing but not ok with it not being readable by the current process.
--
Cheers,
Marga
Acknowledgement sent
to Andreas Metzler <ametzler@bebt.de>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>.
(Fri, 21 Apr 2017 17:39:05 GMT) (full text, mbox, link).
Subject: Re: Bug#860903: Current setup causes breakage when trying to use apt
with pkcs11
Date: Fri, 21 Apr 2017 19:36:45 +0200
On 2017-04-21 Marga Manterola <marga@google.com> wrote:
> On Fri, Apr 21, 2017 at 7:10 PM Andreas Metzler <ametzler@bebt.de> wrote:
[...]
>>> /etc/pkcs11 directory looks like this:
>>> $ ls -ld /etc/pkcs11 /etc/pkcs11/
>>> lrwxrwxrwx 1 root root 21 Jan 3 14:14 /etc/pkcs11 ->
>>> /var/lib/opencryptoki
>>> drwxrwx--- 8 root pkcs11 4096 Apr 21 10:33 /etc/pkcs11/
[...]
>> Isn't this where the actual breakage is located? Afaik /etc should
>> contain configuration files, not symlinks to unreadable empty
>> directories. O are there special mitigating circumstances?
> This is how the opencryptoki package is shipped:
> http://sources.debian.net/src/opencryptoki/2.3.1%2Bdfsg-3/usr/lib/pkcs11/api/Makefile.am/?hl=47#L47
I know, I doublechecked, I was wondering about your opinion. ;-)
> To be honest, I'm not sure if this is breaking policy or not.
> https://www.debian.org/doc/debian-policy/ch-files.html#s-config-files seems
> to say that symlinking is not ideal but possible. Doesn't talk about the
> permissions. It *is* possible to have files in /etc/ that are not world
> readable
Policy allows symlinks pointing *to* files in /etc as workaround, not
the other way round.
> Regardless of this, I see no reason why p11-kit should be ok with the file
> not existing but not ok with it not being readable by the current process.
I will forward upstream.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
Source: p11-kit
Source-Version: 0.23.7-2
We believe that the bug you reported is fixed in the latest version of
p11-kit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 860903@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated p11-kit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 01 Jul 2017 13:40:07 +0200
Source: p11-kit
Binary: libp11-kit-dev libp11-kit0 p11-kit p11-kit-modules
Architecture: source
Version: 0.23.7-2
Distribution: unstable
Urgency: low
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Closes: 860903
Description:
libp11-kit0 - library for loading and coordinating access to PKCS#11 modules -
libp11-kit-dev - library for loading and coordinating access to PKCS#11 modules -
p11-kit-modules - p11-glue proxy and trust modules
p11-kit - p11-glue utilities
Changes:
p11-kit (0.23.7-2) unstable; urgency=low
.
* libp11-kit0: Add Breaks: opencryptoki (<= 3.6.1+dfsg-1) to enforce upgrade
of opencryptoki to a version without /etc/pkcs11 symlink to private
directory. Closes: #860903
* p11-kit-extract-trust was renamed to trust-extract-compat in 0.19.4, fix
debian/p11-kit.examples.
* Upload to unstable.
Checksums-Sha1:
064892bd5fd21678099234a1af17e055a912fb37 2452 p11-kit_0.23.7-2.dsc
b88a1eceb42715ea609affcd5e3bee68dadd70b9 20900 p11-kit_0.23.7-2.debian.tar.xz
Checksums-Sha256:
4e6f3d78be14193cfd88004ce4285fa78d610a42ded7cda253a0508b44b2087a 2452 p11-kit_0.23.7-2.dsc
d6339f2c62a4edbd0b002a6f1accebfa975da62e279c61c77ecbaa477995663a 20900 p11-kit_0.23.7-2.debian.tar.xz
Files:
21d25b1cc23171f73901458c6ab6f46d 2452 libs extra p11-kit_0.23.7-2.dsc
c5c8de87916572764224db77fdf4d109 20900 libs extra p11-kit_0.23.7-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAllXlJ8ACgkQpU8BhUOC
FIR29xAAiyUq3MyPcYNw49osxJaIvQ6FfSk1qTYxChyJwzEwCBzn/9F97EeTgAyM
2PgFaP/AU7eTVe3bQbhQ3bpaTYJbRUAKWXH89pEeVvYyjGFFtnNpNObkjePlo63i
1ckhfy10Agz2bUFOzEEwbK0L4oy1+7FUsD7XE0FZRcWv0Uav33Ik1WwJISChEfo6
dIIpQFhJIYxuLYw8fIiDPQSg690RmFB3ndm67OE6z/BM+s/1EvizBSYeaDe7XJQr
CrYflaFHSU/hLjuOGJdPR7qfeUXphsbNnCD4boyh0gUHbYh6CtKY5CaBSypWi/Fy
gUsNH/a00c4TOo9O2rtv9pZolxqCsQeMLSsnsHvGEonrd5qhooWIsVLD6Jk0QjYE
eJVaHgCmlIjPyXAh6YxIv92yNrpxffkfa7Ze95/TOCB58WssPA/2ZqxEKvX/+YU+
g5McWQvwWyy7N3OXfQdGDrPWUGwkYFsNmYTsCakG5GQyvkNE6tfuzxlfXg/6xScG
DT1A5aDzBpqpttEKreCgQmqOAIsoAEeiJVSz7Jw4JzpALZyGnDqqZV17UpFzn1J5
4YAhonLOHK/l7aQqAyCiqCa8i67+msCrOSzuSm0vWQSP7QKjS/DIK1GWuJbuevKF
LB/C9uKrmKI1egvqOj9mzpr82/8BpbqRNd8UQYAo0dr137q5wbY=
=2Rx8
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 05 Jun 2019 07:28:31 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.