Unix only. 0.9.8a openssl executable (apps/ca.c) If the openssl is run as a setuid executable and you try to create a certificate, it fails claiming that it is unable to access the new certificates directory
This is because in apps/ca.c it checks that the new certificate dir is accessible, but this always uses the real and not the effective UID/GID. The real user of the openssl executable cannot access the directory so it fails. Having examined the code, this seems to be the only place where the access(2) system call is used. The code immediately does a stat after this check (which also does an access check) so I assume that the code is trying to be helpful by giving a sensible error message. Potential fixes: 1) Remove the access check altogether 2) Only execute the access check if the real and effective uid/gids are identical Steven Allen Senselect Ltd. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
