Re: [exim-dev] gnutls / exim : gnome-keyring:: couldn't connect to: /home/ametzler/.cache/keyring-vZ6lZn/pkcs11: Permission denied

Sat, 23 Jun 2012 09:45:35 -0700 

On 2012-06-23 Phil Pennock <[email protected]> wrote:
> On 2012-06-23 at 09:07 +0200, Andreas Metzler wrote:
> > After the the GnuTLS revamp it loooks like PKCS#11 modules are
> > suddenly (unnecessarily) autoloaded and fail due to SUID:

> Note: the problem here isn't suid itself, but that environment variables
> passed through are no longer valid.

> If you find the two calls to gnutls_global_init() in tls-gnu.c and
> before them insert:

>   rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
> and one of:
>   exim_gnutls_err_check(US"gnutls_pkcs11_init");
>   validate_check_rc(US"gnutls_pkcs11_init");
> (it should be obvious which goes where, just stay consistent)

> then does that fix the problem?
[...]

It does, thank you for the fix and explanation.

cu andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Description: Disable autoloading of PKCS#11 modules.
Author: Phil Pennock <[email protected]>
Origin: upstream
Bug-Debian: http://bugs.debian.org/678238
Forwarded: http://article.gmane.org/gmane.mail.exim.devel/5732
Last-Update: 2012-06-23

Index: b/src/tls-gnu.c
===================================================================
--- a/src/tls-gnu.c	2012-06-23 18:17:41.000000000 +0200
+++ b/src/tls-gnu.c	2012-06-23 18:18:31.000000000 +0200
@@ -39,6 +39,8 @@ require current GnuTLS, then we'll drop
 #include <gnutls/x509.h>
 /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
 #include <gnutls/crypto.h>
+/* needed for gnutls_pkcs11_init */
+#include <gnutls/pkcs11.h>
 
 /* GnuTLS 2 vs 3
 
@@ -910,6 +912,8 @@ if (!exim_gnutls_base_init_done)
   {
   DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
 
+  rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+  exim_gnutls_err_check(US"gnutls_pkcs11_init");
   rc = gnutls_global_init();
   exim_gnutls_err_check(US"gnutls_global_init");
 
@@ -1942,6 +1946,8 @@ if (exim_gnutls_base_init_done)
   log_write(0, LOG_MAIN|LOG_PANIC,
       "already initialised GnuTLS, Exim developer bug");
 
+rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+validate_check_rc(US"gnutls_pkcs11_init");
 rc = gnutls_global_init();
 validate_check_rc(US"gnutls_global_init()");
 exim_gnutls_base_init_done = TRUE;

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Reply via email to