Here is a patch to be discussed...
Currently even root needs to be member of the pkcs11 group to
successfully execute eg. pkcsconf -t. It is unclear to me,
if this is really the expected behavior. There is some code
and comments in usr/lib/pkcs11/common/new_host.c check_user_and_group()
telling me that uid == 0 or euid == 0 should be allowed without any
group checking. On the other hand before attaching to shared memory in
usr/lib/pkcs11/api/shrd_mem.c.in there is code regardless of any uid
checking for the membership to the pkcs11 group.
RHEL uses an own developed patch to disable group checking for user root
and applies this to ock since 2.4.
So here is a patch which disables checking of the pkcs11 group
membership for root or euid 0. I leave it to the maintainer of
opencryptoki to apply or reject it ... however the intented behavior
should be documented somewhere.
regards, Harald Freudenberger
>From 08ca80091597b93fce67d63970f4c6851677b155 Mon Sep 17 00:00:00 2001
From: Harald Freudenberger <fre...@linux.vnet.ibm.com>
Date: Wed, 26 Nov 2014 14:45:01 +0100
Subject: [PATCH] Root not required to be member of pkcs11 group fix.
Make root run all the pkcs11 commands without the need to be a member of
the pkcs11 group.
Signed-off-by: Harald Freudenberger <fre...@linux.vnet.ibm.com>
---
usr/lib/pkcs11/api/shrd_mem.c.in | 64 +++++++++++++++++---------------------
usr/lib/pkcs11/common/new_host.c | 2 +-
2 files changed, 30 insertions(+), 36 deletions(-)
diff --git a/usr/lib/pkcs11/api/shrd_mem.c.in b/usr/lib/pkcs11/api/shrd_mem.c.in
index 42022c7..17777b8 100644
--- a/usr/lib/pkcs11/api/shrd_mem.c.in
+++ b/usr/lib/pkcs11/api/shrd_mem.c.in
@@ -340,6 +340,8 @@ attach_shared_memory() {
struct stat statbuf;
struct group *grp;
struct passwd *pw, *epw;
+ uid_t uid = getuid();
+ uid_t euid = geteuid();
#if !(MMAP)
// Really should fstat the tok_path, since it will be the actual
@@ -351,42 +353,34 @@ attach_shared_memory() {
return NULL;
}
-
- // SAB check for the group id here and membership here as well
- grp = getgrnam("pkcs11");
- if ( grp ) {
- int i=0;
- char member=0;
-
- pw = getpwuid(getuid());
-
- epw = getpwuid(geteuid());
-
- while( grp->gr_mem[i] ) {
- if (pw) {
- if ( strncmp(pw->pw_name, grp->gr_mem[i],strlen(pw->pw_name)) == 0 ){
- member = 1;
- break;
- }
- }
- if (epw) {
- if ( strncmp(epw->pw_name, grp->gr_mem[i],strlen(epw->pw_name)) == 0 ){
- member = 1;
- break;
- }
- }
- i++;
- }
- if ( ! member ) {
- return NULL; // SAB don't bother even attaching...
- }
-
-
- } else {
- return NULL;
+ // only check group membership if not root user
+ if (uid != 0 && euid != 0) {
+ int i, member=0;
+ grp = getgrnam("pkcs11");
+ if (!grp) {
+ // group pkcs11 not known to the system
+ return NULL;
+ }
+ pw = getpwuid(uid);
+ epw = getpwuid(euid);
+ for (i=0; grp->gr_mem[i]; i++) {
+ if (pw) {
+ if (!strncmp(pw->pw_name, grp->gr_mem[i],strlen(pw->pw_name))) {
+ member = 1;
+ break;
+ }
+ }
+ if (epw) {
+ if (!strncmp(epw->pw_name, grp->gr_mem[i],strlen(epw->pw_name))) {
+ member = 1;
+ break;
+ }
+ }
+ }
+ if (!member) {
+ return NULL;
+ }
}
-
-
Anchor->shm_tok = ftok(TOK_PATH,'b');
diff --git a/usr/lib/pkcs11/common/new_host.c b/usr/lib/pkcs11/common/new_host.c
index b6275ab..23814f0 100755
--- a/usr/lib/pkcs11/common/new_host.c
+++ b/usr/lib/pkcs11/common/new_host.c
@@ -521,7 +521,7 @@ check_user_and_group()
euid = geteuid();
/* Root or effective Root is ok */
- if (uid != 0 && euid != 0)
+ if (uid == 0 || euid == 0)
return CKR_OK;
/*
--
1.7.9.5
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Opencryptoki-tech mailing list
Opencryptoki-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
