Public bug reported:
== Comment: #0 - Christian Rund <[email protected]> - 2016-06-20
06:43:40 ==
Problem description
==============
The ownerships for the token (sub)directories in /var/lib/opencryptoki/ are set
to root,root in the current version of the 'opencryptoki 3.4.1+dfsg-1ubuntu3
package'.
They need to be recursively set to root,pkcs11. Especially the TOK_OBJ
subdirectories need to have pkcs11 group ownership, as the access
concept is to permit pkcs11 group members creating persistent token
objects.
Console output
===========
strace output of a failing scenario for testuser uid=1000(testuser)
gid=1000(testuser) groups=1000(testuser),27(sudo),116(pkcs11) :
open("/var/lib/opencryptoki/lite/TOK_OBJ/00000000", O_WRONLY|O_CREAT|O_TRUNC,
0666) = -1 EACCES (Permission denied)
flock(6, LOCK_UN) = 0
write(1, "Error creating key object: 0x6\n", 31Error creating key object: 0x6
_________________________________________________________________
ls -l ls -l /var/lib/
...
drwxrwxr-x 8 root pkcs11 4096 Jun 17 14:29 opencryptoki
...
ls -la /var/lib/opencryptoki/
root@s8314002:/var/lib/opencryptoki# ll
total 32
drwxrwxr-x 8 root pkcs11 4096 Jun 20 12:26 ./
drwxr-xr-x 40 root root 4096 Jun 20 12:26 ../
drwxr-xr-x 3 root root 4096 Jun 20 12:26 ccatok/
drwxr-xr-x 3 root root 4096 Jun 20 12:26 ep11tok/
drwxr-xr-x 2 root root 4096 Apr 13 22:31 icsf/
drwxr-xr-x 3 root root 4096 Jun 20 12:26 lite/
drwxr-xr-x 3 root root 4096 Jun 20 12:26 swtok/
drwxr-xr-x 2 root root 4096 Apr 13 22:31 tpm/
_________________________________________________________________
The /var/lib/opencryptoki subdirectory structure is provided by the
opencryptoki package:
dpkg -L opencryptoki
/var/lib/opencryptoki/tpm
/var/lib/opencryptoki/swtok
/var/lib/opencryptoki/swtok/TOK_OBJ
/var/lib/opencryptoki/icsf
/var/lib/opencryptoki/ep11tok
/var/lib/opencryptoki/ep11tok/TOK_OBJ
/var/lib/opencryptoki/ccatok
/var/lib/opencryptoki/ccatok/TOK_OBJ
/var/lib/opencryptoki/lite
/var/lib/opencryptoki/lite/TOK_OBJ
== Comment: #4 - VINEETHA PISHARATH HARI PAI <[email protected]> - 2016-06-21
11:16:26 ==
The issue is described in problem description.
Please create
/var/lib/opencryptoki/
/var/lib/opencryptoki/<token> where token=ccatok, ep11tok, icsf, lite, swtok,
tpm
/var/lib/opencryptoki/<token>/TOK_OBJ with permissions 770, root ownership
and pkcs11 group ownership.
The directory structure and permissions should look like this
:~ # ls -la /var/lib/opencryptoki/
total 32
drwxr-xr-x 8 root pkcs11 4096 Jun 13 21:13 .
drwxr-xr-x 37 root root 4096 Jun 20 21:30 ..
drwxrwx--- 3 root pkcs11 4096 Jun 13 21:13 ccatok
drwxrwx--- 3 root pkcs11 4096 Jun 13 21:13 ep11tok
drwxrwx--- 2 root pkcs11 4096 Sep 23 2014 icsf
drwxrwx--- 3 root pkcs11 4096 Jun 13 21:13 lite
drwxrwx--- 3 root pkcs11 4096 Jun 13 21:13 swtok
drwxrwx--- 3 root pkcs11 4096 Sep 23 2014 tpm
Currently the directories are created with 'root' ownership and group, because
of which a normal user (who is a member of pkcs11 group) cannot create
persistent token objects on disk. The rpm spec should be modified to change the
group and permissions as shown above.
== Comment: #7 - Heinz-Werner Seeck <[email protected]> -
2016-06-22 07:09:11 ==
Canonical please SRU this fix to 16.04. Thx
** Affects: opencryptoki
Importance: Undecided
Status: New
** Affects: ubuntu-z-systems
Importance: Medium
Assignee: Dimitri John Ledkov (xnox)
Status: New
** Affects: opencryptoki (Ubuntu)
Importance: Undecided
Assignee: Skipper Bug Screeners (skipper-screen-team)
Status: New
** Tags: architecture-s39064 bugnameltc-142838 severity-medium
targetmilestone-inin1604
** Tags added: architecture-s39064 bugnameltc-142838 severity-medium
targetmilestone-inin1604
** Changed in: ubuntu
Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team)
** Package changed: ubuntu => opencryptoki (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1595192
Title:
OpenCryptoki: change group permission to pkcs11 for all
/var/lib/opencryptoki token subdirs
To manage notifications about this bug go to:
https://bugs.launchpad.net/opencryptoki/+bug/1595192/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
