group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1595192] Re: OpenCryptoki: change group permission to pkcs11 for all /var/lib/opencryptoki token subdirs

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1595192@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 Aug 2016 01:41:11 -0000
Reply-to: Bug 1595192 <1595192@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package opencryptoki - 3.5+dfsg-2

---------------
opencryptoki (3.5+dfsg-2) unstable; urgency=medium

  * QA upload.
  * Updated systemd-tmpfiles debian/opencryptoki.tmpfiles snippet to
    create TOK_OBJ per-token subdirectories with correct
    permissions. Upstream should probably ship tmpfiles snippet. LP:
    #1595192.
  * Import upstream patches to create/validate lock & lib directories for
    all tokens. LP: #1594386

 -- Dimitri John Ledkov <xnox@xxxxxxxxxx>  Tue, 16 Aug 2016 09:55:02
+0100

** Changed in: opencryptoki (Ubuntu Yakkety)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1595192

Title:
  OpenCryptoki: change group permission to pkcs11 for all
  /var/lib/opencryptoki token subdirs

Status in Ubuntu on IBM z Systems:
  Triaged
Status in opencryptoki package in Ubuntu:
  Fix Released
Status in opencryptoki source package in Xenial:
  New
Status in opencryptoki source package in Yakkety:
  Fix Released

Bug description:
  == Comment: #0 - Christian Rund <Christian.Rund@xxxxxxxxxx> - 2016-06-20 06:43:40 ==
  Problem description
  ==============
  The ownerships for the token (sub)directories in /var/lib/opencryptoki/ are set to root,root in the current version of the 'opencryptoki 3.4.1+dfsg-1ubuntu3 package'.

  They need to be recursively set to root,pkcs11. Especially the TOK_OBJ
  subdirectories need to have pkcs11 group ownership, as the access
  concept is to permit pkcs11 group members creating persistent token
  objects.

  
  Console output
  ===========
  strace output of a failing scenario for testuser uid=1000(testuser) gid=1000(testuser) groups=1000(testuser),27(sudo),116(pkcs11) :

  open("/var/lib/opencryptoki/lite/TOK_OBJ/00000000", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied)
  flock(6, LOCK_UN)                       = 0
  write(1, "Error creating key object: 0x6\n", 31Error creating key object: 0x6
  _________________________________________________________________
  ls -l ls -l /var/lib/
  ...
  drwxrwxr-x 8 root pkcs11 4096 Jun 17 14:29 opencryptoki
  ...
  ls -la /var/lib/opencryptoki/
  root@s8314002:/var/lib/opencryptoki# ll
  total 32
  drwxrwxr-x  8 root pkcs11 4096 Jun 20 12:26 ./
  drwxr-xr-x 40 root root   4096 Jun 20 12:26 ../
  drwxr-xr-x  3 root root   4096 Jun 20 12:26 ccatok/
  drwxr-xr-x  3 root root   4096 Jun 20 12:26 ep11tok/
  drwxr-xr-x  2 root root   4096 Apr 13 22:31 icsf/
  drwxr-xr-x  3 root root   4096 Jun 20 12:26 lite/
  drwxr-xr-x  3 root root   4096 Jun 20 12:26 swtok/
  drwxr-xr-x  2 root root   4096 Apr 13 22:31 tpm/
  _________________________________________________________________
  The /var/lib/opencryptoki subdirectory structure is provided by the opencryptoki package:
   dpkg -L opencryptoki
  /var/lib/opencryptoki/tpm
  /var/lib/opencryptoki/swtok
  /var/lib/opencryptoki/swtok/TOK_OBJ
  /var/lib/opencryptoki/icsf
  /var/lib/opencryptoki/ep11tok
  /var/lib/opencryptoki/ep11tok/TOK_OBJ
  /var/lib/opencryptoki/ccatok
  /var/lib/opencryptoki/ccatok/TOK_OBJ
  /var/lib/opencryptoki/lite
  /var/lib/opencryptoki/lite/TOK_OBJ

  == Comment: #4 - VINEETHA PISHARATH HARI PAI <vpishar@xxxxxxxxxx> - 2016-06-21 11:16:26 ==
  The issue is described in problem description. 

  Please create

  /var/lib/opencryptoki/
  /var/lib/opencryptoki/<token> where token=ccatok, ep11tok, icsf, lite, swtok, tpm
  /var/lib/opencryptoki/<token>/TOK_OBJ  with permissions 770,  root ownership and pkcs11 group ownership. 

  The directory structure and permissions should look like this 
  :~ # ls -la /var/lib/opencryptoki/
  total 32
  drwxr-xr-x  8 root pkcs11 4096 Jun 13 21:13 .
  drwxr-xr-x 37 root root   4096 Jun 20 21:30 ..
  drwxrwx---  3 root pkcs11 4096 Jun 13 21:13 ccatok
  drwxrwx---  3 root pkcs11 4096 Jun 13 21:13 ep11tok
  drwxrwx---  2 root pkcs11 4096 Sep 23  2014 icsf
  drwxrwx---  3 root pkcs11 4096 Jun 13 21:13 lite
  drwxrwx---  3 root pkcs11 4096 Jun 13 21:13 swtok
  drwxrwx---  3 root pkcs11 4096 Sep 23  2014 tpm

  
  Currently the directories are created with 'root' ownership and group,  because of which a normal user (who is a member of pkcs11 group) cannot create persistent token objects on disk. The rpm spec should be modified to change the group and permissions as shown above.

  == Comment: #7 - Heinz-Werner Seeck <heinz-werner_seeck@xxxxxxxxxx> - 2016-06-22 07:09:11 ==
  Canonical please SRU this fix to 16.04. Thx

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1595192/+subscriptions