On Wed, 2016-02-03 at 11:21 +0100, Thomas Haller wrote: > On Wed, 2016-02-03 at 10:40 +0100, Matthias Berndt wrote: > > Hi Thomas, > > Hi Matthias, > > (CC-ing mailing list) > > > > > I didn't look at it very closely, but I'd suggest using more > > conservative > > permissions for the certificate files. The current code leads to > > warnings > > in the log files: > > WARNING: file '/home/mberndt/.cert/client-key.pem' is group or > > others > > accessible > > WARNING: file '/home/mberndt/.cert/test-client-ta.pem' is group or > > others accessible > > I actually did that in a first version of the patches. > > But then I thought, the import code is run by $USER, putting the > files > to ~$USER/.certs. > > The openvpn process is run as nm-openvpn:nm-openvpn (or root:root -- > depending whether chroot succeeds). I don't think we can restrict the > file permissions there. > > ... which really shows how inherently broken it is to handle > certificates in files (client-side). > > > What is your suggestion?
Ok, I tested it. openvpn reads the files ~before~ setuid. So it actually works. Added a patch "properties: fix permissions of imported certificates to be user-readable only" worked for me still with dropping privileges. Thomas
signature.asc
Description: This is a digitally signed message part
_______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list