Ubuntu
opencryptoki package

OpenCryptoki: change group permission to pkcs11 for all /var/lib/opencryptoki token subdirs

Bug #1595192 reported by bugproxy
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
Medium
Unassigned
opencryptoki (Ubuntu)
Fix Released
Medium
Dimitri John Ledkov
Xenial
Fix Released
Medium
Dimitri John Ledkov
Yakkety
Fix Released
Medium
Dimitri John Ledkov

Bug Description

== Comment: #0 - Christian Rund <email address hidden> - 2016-06-20 06:43:40 ==
Problem description
==============
The ownerships for the token (sub)directories in /var/lib/opencryptoki/ are set to root,root in the current version of the 'opencryptoki 3.4.1+dfsg-1ubuntu3 package'.

They need to be recursively set to root,pkcs11. Especially the TOK_OBJ subdirectories need to have pkcs11 group ownership, as the access concept is to permit pkcs11 group members creating persistent token objects.

Console output
===========
strace output of a failing scenario for testuser uid=1000(testuser) gid=1000(testuser) groups=1000(testuser),27(sudo),116(pkcs11) :

open("/var/lib/opencryptoki/lite/TOK_OBJ/00000000", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied)
flock(6, LOCK_UN) = 0
write(1, "Error creating key object: 0x6\n", 31Error creating key object: 0x6
_________________________________________________________________
ls -l ls -l /var/lib/
...
drwxrwxr-x 8 root pkcs11 4096 Jun 17 14:29 opencryptoki
...
ls -la /var/lib/opencryptoki/
root@s8314002:/var/lib/opencryptoki# ll
total 32
drwxrwxr-x 8 root pkcs11 4096 Jun 20 12:26 ./
drwxr-xr-x 40 root root 4096 Jun 20 12:26 ../
drwxr-xr-x 3 root root 4096 Jun 20 12:26 ccatok/
drwxr-xr-x 3 root root 4096 Jun 20 12:26 ep11tok/
drwxr-xr-x 2 root root 4096 Apr 13 22:31 icsf/
drwxr-xr-x 3 root root 4096 Jun 20 12:26 lite/
drwxr-xr-x 3 root root 4096 Jun 20 12:26 swtok/
drwxr-xr-x 2 root root 4096 Apr 13 22:31 tpm/
_________________________________________________________________
The /var/lib/opencryptoki subdirectory structure is provided by the opencryptoki package:
 dpkg -L opencryptoki
/var/lib/opencryptoki/tpm
/var/lib/opencryptoki/swtok
/var/lib/opencryptoki/swtok/TOK_OBJ
/var/lib/opencryptoki/icsf
/var/lib/opencryptoki/ep11tok
/var/lib/opencryptoki/ep11tok/TOK_OBJ
/var/lib/opencryptoki/ccatok
/var/lib/opencryptoki/ccatok/TOK_OBJ
/var/lib/opencryptoki/lite
/var/lib/opencryptoki/lite/TOK_OBJ

== Comment: #4 - VINEETHA PISHARATH HARI PAI <email address hidden> - 2016-06-21 11:16:26 ==
The issue is described in problem description.

Please create

/var/lib/opencryptoki/
/var/lib/opencryptoki/<token> where token=ccatok, ep11tok, icsf, lite, swtok, tpm
/var/lib/opencryptoki/<token>/TOK_OBJ with permissions 770, root ownership and pkcs11 group ownership.

The directory structure and permissions should look like this
:~ # ls -la /var/lib/opencryptoki/
total 32
drwxr-xr-x 8 root pkcs11 4096 Jun 13 21:13 .
drwxr-xr-x 37 root root 4096 Jun 20 21:30 ..
drwxrwx--- 3 root pkcs11 4096 Jun 13 21:13 ccatok
drwxrwx--- 3 root pkcs11 4096 Jun 13 21:13 ep11tok
drwxrwx--- 2 root pkcs11 4096 Sep 23 2014 icsf
drwxrwx--- 3 root pkcs11 4096 Jun 13 21:13 lite
drwxrwx--- 3 root pkcs11 4096 Jun 13 21:13 swtok
drwxrwx--- 3 root pkcs11 4096 Sep 23 2014 tpm

Currently the directories are created with 'root' ownership and group, because of which a normal user (who is a member of pkcs11 group) cannot create persistent token objects on disk. The rpm spec should be modified to change the group and permissions as shown above.

== Comment: #7 - Heinz-Werner Seeck <email address hidden> - 2016-06-22 07:09:11 ==
Canonical please SRU this fix to 16.04. Thx

bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-142838 severity-medium targetmilestone-inin1604
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → opencryptoki (Ubuntu)
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
importance: Undecided → Medium
assignee: nobody → Dimitri John Ledkov (xnox)
bugproxy (bugproxy)
tags: added: targetmilestone-inin16041
removed: targetmilestone-inin1604
Dimitri John Ledkov (xnox)
Changed in ubuntu-z-systems:
assignee: Dimitri John Ledkov (xnox) → nobody
Changed in opencryptoki (Ubuntu Xenial):
assignee: nobody → Dimitri John Ledkov (xnox)
Changed in opencryptoki (Ubuntu Yakkety):
assignee: Skipper Bug Screeners (skipper-screen-team) → Dimitri John Ledkov (xnox)
Dimitri John Ledkov (xnox)
Changed in opencryptoki (Ubuntu Yakkety):
status: New → In Progress
Frank Heimes (fheimes)
no longer affects: opencryptoki
Changed in ubuntu-z-systems:
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opencryptoki - 3.5+dfsg-2

---------------
opencryptoki (3.5+dfsg-2) unstable; urgency=medium

  * QA upload.
  * Updated systemd-tmpfiles debian/opencryptoki.tmpfiles snippet to
    create TOK_OBJ per-token subdirectories with correct
    permissions. Upstream should probably ship tmpfiles snippet. LP:
    #1595192.
  * Import upstream patches to create/validate lock & lib directories for
    all tokens. LP: #1594386

 -- Dimitri John Ledkov <email address hidden> Tue, 16 Aug 2016 09:55:02 +0100

Changed in opencryptoki (Ubuntu Yakkety):
status: In Progress → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Triaged → In Progress
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2016-08-24 12:03 EDT-------
Used "Ubuntu Yakkety Yak (development branch) 16.10 with '4.4.0-33-generic' kernel to verify.
Problem is fixed in the opencryptoki 3.5+dfsg-2 package.
The package was available to me after apt-get update,upgrade via universe section for yakketty.

Details:
tester@s83lp22:~$ ls -la /var/lib/opencryptoki/
total 32
drwxrwx--- 8 root pkcs11 4096 Aug 10 13:11 .
drwxr-xr-x 36 root root 4096 Aug 10 13:11 ..
drwxrwx--- 3 root pkcs11 4096 Aug 10 13:11 ccatok
drwxrwx--- 3 root pkcs11 4096 Aug 10 13:11 ep11tok
drwxrwx--- 3 root pkcs11 4096 Aug 24 17:46 icsf
drwxrwx--- 3 root pkcs11 4096 Aug 24 17:47 lite
drwxrwx--- 3 root pkcs11 4096 Aug 24 17:47 swtok
drwxrwx--- 3 root pkcs11 4096 Aug 24 17:47 tpm

Dimitri John Ledkov (xnox)
Changed in opencryptoki (Ubuntu Xenial):
status: New → In Progress
Revision history for this message
Chris J Arges (arges) wrote : Please test proposed package

Hello bugproxy, or anyone else affected,

Accepted opencryptoki into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/opencryptoki/3.4.1+dfsg-1ubuntu4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in opencryptoki (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
Dimitri John Ledkov (xnox)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Chris J Arges (arges) wrote : Update Released

The verification of the Stable Release Update for opencryptoki has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opencryptoki - 3.4.1+dfsg-1ubuntu4

---------------
opencryptoki (3.4.1+dfsg-1ubuntu4) xenial; urgency=medium

  * Updated systemd-tmpfiles debian/opencryptoki.tmpfiles snippet to
    create TOK_OBJ per-token subdirectories with correct
    permissions. Upstream should probably ship tmpfiles snippet. LP:
    #1595192.
  * Import upstream patches to create/validate lock & lib directories for
    all tokens. LP: #1594386

 -- Dimitri John Ledkov <email address hidden> Wed, 14 Sep 2016 14:23:23 +0100

Changed in opencryptoki (Ubuntu Xenial):
status: Fix Committed → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2016-09-30 10:43 EDT-------
Installed opencryptoki debian package Version: 3.4.1+dfsg-1ubuntu4 and verified the access rights are OK now.

Details
=======
~# ls -ld /var/lib/opencryptoki/
drwxrwx--- 8 root pkcs11 4096 Sep 30 16:39 /var/lib/opencryptoki/

# ls -l /var/lib/opencryptoki/
total 24
drwxrwx--- 3 root pkcs11 4096 Sep 30 16:39 ccatok
drwxrwx--- 3 root pkcs11 4096 Sep 30 16:39 ep11tok
drwxrwx--- 3 root pkcs11 4096 Sep 30 16:39 icsf
drwxrwx--- 3 root pkcs11 4096 Sep 30 16:39 lite
drwxrwx--- 3 root pkcs11 4096 Sep 30 16:39 swtok
drwxrwx--- 2 root pkcs11 4096 Sep 14 17:10 tpm

------- Comment From <email address hidden> 2016-09-30 10:47 EDT-------
Forgot to mention: Used
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"
4.4.0-36-generic kernel

Mathew Hodson (mhodson)
Changed in opencryptoki (Ubuntu):
importance: Undecided → Medium
Changed in opencryptoki (Ubuntu Xenial):
importance: Undecided → Medium
Changed in opencryptoki (Ubuntu Yakkety):
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.