OpenCryptoki: change group permission to pkcs11 for all /var/lib/opencryptoki token subdirs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
Medium
|
Unassigned | ||
opencryptoki (Ubuntu) |
Fix Released
|
Medium
|
Dimitri John Ledkov | ||
Xenial |
Fix Released
|
Medium
|
Dimitri John Ledkov | ||
Yakkety |
Fix Released
|
Medium
|
Dimitri John Ledkov |
Bug Description
== Comment: #0 - Christian Rund <email address hidden> - 2016-06-20 06:43:40 ==
Problem description
==============
The ownerships for the token (sub)directories in /var/lib/
They need to be recursively set to root,pkcs11. Especially the TOK_OBJ subdirectories need to have pkcs11 group ownership, as the access concept is to permit pkcs11 group members creating persistent token objects.
Console output
===========
strace output of a failing scenario for testuser uid=1000(testuser) gid=1000(testuser) groups=
open("/
flock(6, LOCK_UN) = 0
write(1, "Error creating key object: 0x6\n", 31Error creating key object: 0x6
_______
ls -l ls -l /var/lib/
...
drwxrwxr-x 8 root pkcs11 4096 Jun 17 14:29 opencryptoki
...
ls -la /var/lib/
root@s8314002:
total 32
drwxrwxr-x 8 root pkcs11 4096 Jun 20 12:26 ./
drwxr-xr-x 40 root root 4096 Jun 20 12:26 ../
drwxr-xr-x 3 root root 4096 Jun 20 12:26 ccatok/
drwxr-xr-x 3 root root 4096 Jun 20 12:26 ep11tok/
drwxr-xr-x 2 root root 4096 Apr 13 22:31 icsf/
drwxr-xr-x 3 root root 4096 Jun 20 12:26 lite/
drwxr-xr-x 3 root root 4096 Jun 20 12:26 swtok/
drwxr-xr-x 2 root root 4096 Apr 13 22:31 tpm/
_______
The /var/lib/
dpkg -L opencryptoki
/var/lib/
/var/lib/
/var/lib/
/var/lib/
/var/lib/
/var/lib/
/var/lib/
/var/lib/
/var/lib/
/var/lib/
== Comment: #4 - VINEETHA PISHARATH HARI PAI <email address hidden> - 2016-06-21 11:16:26 ==
The issue is described in problem description.
Please create
/var/lib/
/var/lib/
/var/lib/
The directory structure and permissions should look like this
:~ # ls -la /var/lib/
total 32
drwxr-xr-x 8 root pkcs11 4096 Jun 13 21:13 .
drwxr-xr-x 37 root root 4096 Jun 20 21:30 ..
drwxrwx--- 3 root pkcs11 4096 Jun 13 21:13 ccatok
drwxrwx--- 3 root pkcs11 4096 Jun 13 21:13 ep11tok
drwxrwx--- 2 root pkcs11 4096 Sep 23 2014 icsf
drwxrwx--- 3 root pkcs11 4096 Jun 13 21:13 lite
drwxrwx--- 3 root pkcs11 4096 Jun 13 21:13 swtok
drwxrwx--- 3 root pkcs11 4096 Sep 23 2014 tpm
Currently the directories are created with 'root' ownership and group, because of which a normal user (who is a member of pkcs11 group) cannot create persistent token objects on disk. The rpm spec should be modified to change the group and permissions as shown above.
== Comment: #7 - Heinz-Werner Seeck <email address hidden> - 2016-06-22 07:09:11 ==
Canonical please SRU this fix to 16.04. Thx
tags: | added: architecture-s39064 bugnameltc-142838 severity-medium targetmilestone-inin1604 |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → opencryptoki (Ubuntu) |
Changed in ubuntu-z-systems: | |
importance: | Undecided → Medium |
assignee: | nobody → Dimitri John Ledkov (xnox) |
tags: |
added: targetmilestone-inin16041 removed: targetmilestone-inin1604 |
Changed in ubuntu-z-systems: | |
assignee: | Dimitri John Ledkov (xnox) → nobody |
Changed in opencryptoki (Ubuntu Xenial): | |
assignee: | nobody → Dimitri John Ledkov (xnox) |
Changed in opencryptoki (Ubuntu Yakkety): | |
assignee: | Skipper Bug Screeners (skipper-screen-team) → Dimitri John Ledkov (xnox) |
Changed in opencryptoki (Ubuntu Yakkety): | |
status: | New → In Progress |
no longer affects: | opencryptoki |
Changed in ubuntu-z-systems: | |
status: | New → Triaged |
Changed in ubuntu-z-systems: | |
status: | Triaged → In Progress |
Changed in opencryptoki (Ubuntu Xenial): | |
status: | New → In Progress |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done removed: verification-needed |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
Changed in opencryptoki (Ubuntu): | |
importance: | Undecided → Medium |
Changed in opencryptoki (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in opencryptoki (Ubuntu Yakkety): | |
importance: | Undecided → Medium |
This bug was fixed in the package opencryptoki - 3.5+dfsg-2
---------------
opencryptoki (3.5+dfsg-2) unstable; urgency=medium
* QA upload. opencryptoki. tmpfiles snippet to
* Updated systemd-tmpfiles debian/
create TOK_OBJ per-token subdirectories with correct
permissions. Upstream should probably ship tmpfiles snippet. LP:
#1595192.
* Import upstream patches to create/validate lock & lib directories for
all tokens. LP: #1594386
-- Dimitri John Ledkov <email address hidden> Tue, 16 Aug 2016 09:55:02 +0100