On Wed, 2016-02-03 at 10:40 +0100, Matthias Berndt wrote: > Hi Thomas, Hi Matthias,
(CC-ing mailing list) > > I didn't look at it very closely, but I'd suggest using more > conservative > permissions for the certificate files. The current code leads to > warnings > in the log files: > WARNING: file '/home/mberndt/.cert/client-key.pem' is group or others > accessible > WARNING: file '/home/mberndt/.cert/test-client-ta.pem' is group or > others accessible I actually did that in a first version of the patches. But then I thought, the import code is run by $USER, putting the files to ~$USER/.certs. The openvpn process is run as nm-openvpn:nm-openvpn (or root:root -- depending whether chroot succeeds). I don't think we can restrict the file permissions there. ... which really shows how inherently broken it is to handle certificates in files (client-side). What is your suggestion? Thomas > > Cheers, > Matthias > > > Gesendet: Freitag, 29. Januar 2016 um 14:55 Uhr > > Von: "Thomas Haller" <[email protected]> > > An: "Matthias Berndt" <[email protected]>, networkmanager-list > > @gnome.org > > Betreff: Re: [PATCH] simplify blob handling > > > > On Tue, 2016-01-26 at 22:57 +0100, Matthias Berndt wrote: > > > Hi, > > > > > > here's the patch to simplify blob handling. > > > > > > Cheers, > > > Matthias > > > > > > > Hey Matthias, > > > > after merging your patch, I reworked the import code more. > > > > https://git.gnome.org/browse/network-manager-openvpn/log/?h=th/ovpn > > -import-bgo761285 > > https://bugzilla.gnome.org/show_bug.cgi?id=761285 > > > > It's currently on review, but I think this branch should eventually > > get > > merged. > > > > > > Just in case you wanted to do another cleanup. Or would be > > interested > > in testing/reviewing it... > > > > > > ciao, > > Thomas
signature.asc
Description: This is a digitally signed message part
_______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
