** Changed in: ubuntu-z-systems Status: Fix Committed => Fix Released
-- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1595192 Title: OpenCryptoki: change group permission to pkcs11 for all /var/lib/opencryptoki token subdirs Status in Ubuntu on IBM z Systems: Fix Released Status in opencryptoki package in Ubuntu: Fix Released Status in opencryptoki source package in Xenial: Fix Released Status in opencryptoki source package in Yakkety: Fix Released Bug description: == Comment: #0 - Christian Rund <christian.r...@de.ibm.com> - 2016-06-20 06:43:40 == Problem description ============== The ownerships for the token (sub)directories in /var/lib/opencryptoki/ are set to root,root in the current version of the 'opencryptoki 3.4.1+dfsg-1ubuntu3 package'. They need to be recursively set to root,pkcs11. Especially the TOK_OBJ subdirectories need to have pkcs11 group ownership, as the access concept is to permit pkcs11 group members creating persistent token objects. Console output =========== strace output of a failing scenario for testuser uid=1000(testuser) gid=1000(testuser) groups=1000(testuser),27(sudo),116(pkcs11) : open("/var/lib/opencryptoki/lite/TOK_OBJ/00000000", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied) flock(6, LOCK_UN) = 0 write(1, "Error creating key object: 0x6\n", 31Error creating key object: 0x6 _________________________________________________________________ ls -l ls -l /var/lib/ ... drwxrwxr-x 8 root pkcs11 4096 Jun 17 14:29 opencryptoki ... ls -la /var/lib/opencryptoki/ root@s8314002:/var/lib/opencryptoki# ll total 32 drwxrwxr-x 8 root pkcs11 4096 Jun 20 12:26 ./ drwxr-xr-x 40 root root 4096 Jun 20 12:26 ../ drwxr-xr-x 3 root root 4096 Jun 20 12:26 ccatok/ drwxr-xr-x 3 root root 4096 Jun 20 12:26 ep11tok/ drwxr-xr-x 2 root root 4096 Apr 13 22:31 icsf/ drwxr-xr-x 3 root root 4096 Jun 20 12:26 lite/ drwxr-xr-x 3 root root 4096 Jun 20 12:26 swtok/ drwxr-xr-x 2 root root 4096 Apr 13 22:31 tpm/ _________________________________________________________________ The /var/lib/opencryptoki subdirectory structure is provided by the opencryptoki package: dpkg -L opencryptoki /var/lib/opencryptoki/tpm /var/lib/opencryptoki/swtok /var/lib/opencryptoki/swtok/TOK_OBJ /var/lib/opencryptoki/icsf /var/lib/opencryptoki/ep11tok /var/lib/opencryptoki/ep11tok/TOK_OBJ /var/lib/opencryptoki/ccatok /var/lib/opencryptoki/ccatok/TOK_OBJ /var/lib/opencryptoki/lite /var/lib/opencryptoki/lite/TOK_OBJ == Comment: #4 - VINEETHA PISHARATH HARI PAI <vpis...@us.ibm.com> - 2016-06-21 11:16:26 == The issue is described in problem description. Please create /var/lib/opencryptoki/ /var/lib/opencryptoki/<token> where token=ccatok, ep11tok, icsf, lite, swtok, tpm /var/lib/opencryptoki/<token>/TOK_OBJ with permissions 770, root ownership and pkcs11 group ownership. The directory structure and permissions should look like this :~ # ls -la /var/lib/opencryptoki/ total 32 drwxr-xr-x 8 root pkcs11 4096 Jun 13 21:13 . drwxr-xr-x 37 root root 4096 Jun 20 21:30 .. drwxrwx--- 3 root pkcs11 4096 Jun 13 21:13 ccatok drwxrwx--- 3 root pkcs11 4096 Jun 13 21:13 ep11tok drwxrwx--- 2 root pkcs11 4096 Sep 23 2014 icsf drwxrwx--- 3 root pkcs11 4096 Jun 13 21:13 lite drwxrwx--- 3 root pkcs11 4096 Jun 13 21:13 swtok drwxrwx--- 3 root pkcs11 4096 Sep 23 2014 tpm Currently the directories are created with 'root' ownership and group, because of which a normal user (who is a member of pkcs11 group) cannot create persistent token objects on disk. The rpm spec should be modified to change the group and permissions as shown above. == Comment: #7 - Heinz-Werner Seeck <heinz-werner_se...@de.ibm.com> - 2016-06-22 07:09:11 == Canonical please SRU this fix to 16.04. Thx To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1595192/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp