On Wed, 2016-02-03 at 11:21 +0100, Thomas Haller wrote: > On Wed, 2016-02-03 at 10:40 +0100, Matthias Berndt wrote: > > Hi Thomas, > > Hi Matthias, > > (CC-ing mailing list) > > > > > I didn't look at it very closely, but I'd suggest using more > > conservative > > permissions for the certificate files. The current code leads to > > warnings > > in the log files: > > WARNING: file '/home/mberndt/.cert/client-key.pem' is group or > > others > > accessible > > WARNING: file '/home/mberndt/.cert/test-client-ta.pem' is group or > > others accessible > > I actually did that in a first version of the patches. > > But then I thought, the import code is run by $USER, putting the > files > to ~$USER/.certs. > > The openvpn process is run as nm-openvpn:nm-openvpn (or root:root -- > depending whether chroot succeeds). I don't think we can restrict the > file permissions there. > > ... which really shows how inherently broken it is to handle > certificates in files (client-side).
Yeah, it can be broken as root should not necessarily be able to read normal user files; more of a problem if/when openvpn drops permissions too. > What is your suggestion? > PKCS#11, URIs, and a certificate store :) Alternatively the certificates could be made "secret" in the VPN data and then retrieved from the secret agent in the user session, but it's much better to just use a certificate store. Dan > Thomas > > > > > Cheers, > > Matthias > > > > > Gesendet: Freitag, 29. Januar 2016 um 14:55 Uhr > > > Von: "Thomas Haller" <thal...@redhat.com> > > > An: "Matthias Berndt" <matthias_ber...@gmx.de>, networkmanager > > > -list > > > @gnome.org > > > Betreff: Re: [PATCH] simplify blob handling > > > > > > On Tue, 2016-01-26 at 22:57 +0100, Matthias Berndt wrote: > > > > Hi, > > > > > > > > here's the patch to simplify blob handling. > > > > > > > > Cheers, > > > > Matthias > > > > > > > > > > Hey Matthias, > > > > > > after merging your patch, I reworked the import code more. > > > > > > https://git.gnome.org/browse/network-manager-openvpn/log/?h=th/ov > > > pn > > > -import-bgo761285 > > > https://bugzilla.gnome.org/show_bug.cgi?id=761285 > > > > > > It's currently on review, but I think this branch should > > > eventually > > > get > > > merged. > > > > > > > > > Just in case you wanted to do another cleanup. Or would be > > > interested > > > in testing/reviewing it... > > > > > > > > > ciao, > _______________________________________________ > networkmanager-list mailing list > networkmanager-list@gnome.org > https://mail.gnome.org/mailman/listinfo/networkmanager-list _______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
