Re: [Opencryptoki-tech] [PATCH] Fix permission issue on pkcsslotd

[Klaus Heinrich Kiwi]

On Sun, 2 Jan 2011 17:43:01 +0900
Norikatsu Shigemura <n...@freebsd.org> wrote:

> Hi Klaus.
> 
>       I found a permission issue on pkcsslotd, when I did tpmtoken_init.
>       XPL_FILE (/tmp/.pkapi_xpk) is owned by root:root (root:wheel on
>       FreeBSD), and its permission is 0755 (assume as umask 022).
> 
>       So non-root user can't 
> open(XPL_FILE,O_CREAT|O_RDWR,S_IRWXU|S_IRWXG|S_IRWXO);
>       at usr/lib/pkcs11/api/apiutil.c.  And tpmtoken_init is always failed.
> 
>       I made a patch to fix this issue.  But it's adhoc.  Because pkcsslotd
>       doesn't have set_perm() function.  I think that his fix should be used
>       set_perm().

NICE catch Norikatsu!

Just one problem: the code won't build after removing the <sys/file.h>
header below (flock(), LOCK_EX and LOCK_UN are defined there). Maybe a
typo?


The reality is that the whole locking semantics in opencryptoki needs
to be revisited. The XprocLock() functions aren't even propagating
errors (thus why this was never noticed).

Can you please re-send with the sys/file.h header so I can apply?
Also, please include a "signed-off-by" line.

Thanks,

 -Klaus
 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> --- opencroyptoki-2.3.2/usr/sbin/pkcsslotd/mutex.c.orig       2010-07-29 
> 21:28:41.000000000 +0900
> +++ opencryptoki-2.3.2/usr/sbin/pkcsslotd/mutex.c     2011-01-02 
> 17:25:09.656672444 +0900
> @@ -315,7 +315,7 @@
>  #include <sys/types.h>
>  #include <sys/stat.h>
>  #include <fcntl.h>
> -#include <sys/file.h>
> +#include <grp.h>
>  static int xplfd=-1;
>  #endif
> 
> @@ -349,6 +349,13 @@
>  #elif (SPINXPL)
>    
>   xplfd = open (XPL_FILE,O_CREAT|O_RDWR,S_IRWXU|S_IRWXG|S_IRWXO);
> + {
> +    struct group *grp;
> +    fchmod(xplfd,S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH);
> +    grp = getgrnam("pkcs11");
> +    if (grp)
> +       fchown(xplfd,getuid(),grp->gr_gid);
> + }
> 
>  #elif (SYSVSEM)
>  #error "Caveat Emptor... this does not work"
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> 
>       Thank you.
> 



-- 
Klaus Heinrich Kiwi | kla...@br.ibm.com | http://blog.klauskiwi.com
Open Source Security blog :     http://www.ratliff.net/blog
IBM Linux Technology Center :   http://www.ibm.com/linux/ltc

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Opencryptoki-tech mailing list
Opencryptoki-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech