Hi Klaus. I found a permission issue on pkcsslotd, when I did tpmtoken_init. XPL_FILE (/tmp/.pkapi_xpk) is owned by root:root (root:wheel on FreeBSD), and its permission is 0755 (assume as umask 022).
So non-root user can't open(XPL_FILE,O_CREAT|O_RDWR,S_IRWXU|S_IRWXG|S_IRWXO); at usr/lib/pkcs11/api/apiutil.c. And tpmtoken_init is always failed. I made a patch to fix this issue. But it's adhoc. Because pkcsslotd doesn't have set_perm() function. I think that his fix should be used set_perm(). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --- opencryptoki-2.3.2/usr/sbin/pkcsslotd/mutex.c.orig 2010-07-29 21:28:41.000000000 +0900 +++ opencryptoki-2.3.2/usr/sbin/pkcsslotd/mutex.c 2011-01-02 17:25:09.656672444 +0900 @@ -315,7 +315,7 @@ #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> -#include <sys/file.h> +#include <grp.h> static int xplfd=-1; #endif @@ -349,6 +349,13 @@ #elif (SPINXPL) xplfd = open (XPL_FILE,O_CREAT|O_RDWR,S_IRWXU|S_IRWXG|S_IRWXO); + { + struct group *grp; + fchmod(xplfd,S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH); + grp = getgrnam("pkcs11"); + if (grp) + fchown(xplfd,getuid(),grp->gr_gid); + } #elif (SYSVSEM) #error "Caveat Emptor... this does not work" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Thank you. -- Norikatsu Shigemura <n...@freebsd.org> ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Opencryptoki-tech mailing list Opencryptoki-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech