On Mon, 2014-12-08 at 13:53 -0800, Robert Relyea wrote: > Nothing in the above paragraph is true. > > openning > 1)sql:/etc/pki/nssdb is *STILL* the recommended action for applications > (whether or not nssysinit is installed), and
"Recommended" in the sense of "do as I say, not as I do", of course :)
Without nsssysinit, using sql:/etc/pki/nssdb give you a read-only
database, which isn't acceptable for most applications. Hence the logic
in Evolution which is:
if /etc/pki/nssdb/pkcs11.txt contains 'library=libnsssysinit.so'
then
open sql:/etc/pki/nssdb
else
open sql:$HOME/.pki/nssdb
That logic is *horrid*, and I really didn't want it. But when I asked
about it here, no better suggestions were forthcoming. Now I wish I'd
just given up on the Shared System Database sooner, since p11-kit-trust
fixes it *properly* anyway.
Other applications just don't use /etc/pki/nssdb at all. What are the
major NSS-using applications?
- Chrome uses sql:$HOME/.pki/nssdb and not /etc/pki/nssdb.
- Firefox is even worse and uses a *private* database.
- Thunderbird (IIRC) is the same as Firefox. Except a *different*
private database, of course.
Did I miss any that actually *do* use sql:/etc/pki/nssdb according to
the recommendation?
> 2) what ever the recommendation, pam_pkcs11 still used /etc/pki/nssdb
> (by default, always), not /etc/pams_pkcs11/nssdb. (It never has used).
Ah yes, the Fedora default pam_pkcs11.conf does indeed set
nss_dir=/etc/pki/nssdb (*not* sql:/etc/pki/nssdb, which is presumably a
bug).
But if there is no such setting in the config file, the default is
/etc/pam_pkcs11/nssdb. Or strictly speaking, CONFDIR "/nssdb" as set at
line 62 of src/pam_pkcs11/pam_config.c.
--
dwmw2
smime.p7s
Description: S/MIME cryptographic signature
-- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
