Hi Klaus.
I found a permission issue on pkcsslotd, when I did tpmtoken_init.
XPL_FILE (/tmp/.pkapi_xpk) is owned by root:root (root:wheel on
FreeBSD), and its permission is 0755 (assume as umask 022).
So non-root user can't
open(XPL_FILE,O_CREAT|O_RDWR,S_IRWXU|S_IRWXG|S_IRWXO);
at usr/lib/pkcs11/api/apiutil.c. And tpmtoken_init is always failed.
I made a patch to fix this issue. But it's adhoc. Because pkcsslotd
doesn't have set_perm() function. I think that his fix should be used
set_perm().
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--- opencryptoki-2.3.2/usr/sbin/pkcsslotd/mutex.c.orig 2010-07-29
21:28:41.000000000 +0900
+++ opencryptoki-2.3.2/usr/sbin/pkcsslotd/mutex.c 2011-01-02
17:25:09.656672444 +0900
@@ -315,7 +315,7 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
-#include <sys/file.h>
+#include <grp.h>
static int xplfd=-1;
#endif
@@ -349,6 +349,13 @@
#elif (SPINXPL)
xplfd = open (XPL_FILE,O_CREAT|O_RDWR,S_IRWXU|S_IRWXG|S_IRWXO);
+ {
+ struct group *grp;
+ fchmod(xplfd,S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH);
+ grp = getgrnam("pkcs11");
+ if (grp)
+ fchown(xplfd,getuid(),grp->gr_gid);
+ }
#elif (SYSVSEM)
#error "Caveat Emptor... this does not work"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Thank you.
--
Norikatsu Shigemura <n...@freebsd.org>
------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and,
should the need arise, upgrade to a full multi-node Oracle RAC database
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Opencryptoki-tech mailing list
Opencryptoki-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
