Comment 3 for bug 963587

kimj (emailadhoc) wrote :

as a temporary workaround, I hacked trousers' init script:

        start)
                log_daemon_msg "Starting $DESC" "$NAME"

                if [ ! -e /dev/tpm* ]
                then
                        log_warning_msg "device driver not loaded, skipping."
                        exit 0
                fi
                chown tss:tss /dev/tpm*
                chown -R tss:tss /var/lib/tpm
                start-stop-daemon --start --quiet --oknodo --pidfile /var/run/${NAME}.pid --user ${USER} --chuid ${USER} --exec ${DAEMON} -- ${DAEMON_OPTS}
                RETVAL="$?"
                log_end_msg $RETVAL
                [ "$RETVAL" = 0 ] && pidof $DAEMON > /var/run/${NAME}.pid
                exit $RETVAL
                ;;

I simply added:

                chown tss:tss /dev/tpm*
                chown -R tss:tss /var/lib/tpm

and now the daemon starts. The change of ownership of /var/lib/tpm should however be done by the package postinst script, and the change of ownership on the tpm device via udev; a permissions check should still be added to the init script, and maybe some 'form' of temporary remediation too