- fix pkcsconf crash for non-root users (#10054661) - the libs subpackage must care of creating the pkcs11 group, it's the first to be installed
This commit is contained in:
parent
84596f9c46
commit
102c73f31a
59
opencryptoki-3.0-bz1054661.patch
Normal file
59
opencryptoki-3.0-bz1054661.patch
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
From 95064291fe13d4ed98e195946d931fe779f8a48f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Joy Latten <jmlatten@linux.vnet.ibm.com>
|
||||||
|
Date: Fri, 17 Jan 2014 10:33:19 -0600
|
||||||
|
Subject: [PATCH] Problem: A regular user in pkcs11 group cannot issue pkcsconf
|
||||||
|
-t. When shm_open() creates shared memory object, it honors umask of the
|
||||||
|
caller. This patch ensures the shared memory has expected permissions when it
|
||||||
|
is created.
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
|
||||||
|
Signed-off-by: Dan Horák <dan@danny.cz>
|
||||||
|
---
|
||||||
|
usr/lib/pkcs11/common/shared_memory.c | 27 ++++++++++++++++++++++-----
|
||||||
|
1 file changed, 22 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/usr/lib/pkcs11/common/shared_memory.c b/usr/lib/pkcs11/common/shared_memory.c
|
||||||
|
index a8710c5..bf0411d 100644
|
||||||
|
--- a/usr/lib/pkcs11/common/shared_memory.c
|
||||||
|
+++ b/usr/lib/pkcs11/common/shared_memory.c
|
||||||
|
@@ -161,12 +161,29 @@ sm_open(const char *sm_name, int mode, void **p_addr, size_t len, int force)
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
- fd = shm_open(name, O_RDWR | O_CREAT, mode);
|
||||||
|
+ /* try and open first... */
|
||||||
|
+ fd = shm_open(name, O_RDWR, mode);
|
||||||
|
if (fd < 0) {
|
||||||
|
- rc = -errno;
|
||||||
|
- SYS_ERROR(errno, "Failed to open shared memory \"%s\".\n",
|
||||||
|
- name);
|
||||||
|
- goto done;
|
||||||
|
+ /* maybe it needs to be created ... */
|
||||||
|
+ fd = shm_open(name, O_RDWR | O_CREAT, mode);
|
||||||
|
+ if (fd < 0) {
|
||||||
|
+ rc = -errno;
|
||||||
|
+ SYS_ERROR(errno,
|
||||||
|
+ "Failed to open shared memory \"%s\".\n",
|
||||||
|
+ name);
|
||||||
|
+ goto done;
|
||||||
|
+ } else {
|
||||||
|
+ /* umask may have altered permissions if we created
|
||||||
|
+ * the shared memory in above call, so set proper
|
||||||
|
+ * permissions just in case.
|
||||||
|
+ */
|
||||||
|
+ if (fchmod(fd, mode) == -1) {
|
||||||
|
+ rc = -errno;
|
||||||
|
+ SYS_ERROR(errno, "fchmod(%s): %s\n",
|
||||||
|
+ name, strerror(errno));
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
--
|
||||||
|
1.8.1.4
|
||||||
|
|
@ -3,7 +3,7 @@
|
|||||||
Name: opencryptoki
|
Name: opencryptoki
|
||||||
Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11
|
Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11
|
||||||
Version: 3.0
|
Version: 3.0
|
||||||
Release: 7%{?dist}
|
Release: 8%{?dist}
|
||||||
License: CPL
|
License: CPL
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
URL: http://sourceforge.net/projects/opencryptoki
|
URL: http://sourceforge.net/projects/opencryptoki
|
||||||
@ -19,12 +19,14 @@ Patch1: %{name}-3.0-pkcsconf-man.patch
|
|||||||
Patch2: %{name}-3.0-unit.patch
|
Patch2: %{name}-3.0-unit.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1001729
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1001729
|
||||||
# http://sourceforge.net/p/opencryptoki/opencryptoki/ci/b50eb39e3cf8ccfdb735fbddfcdae10bdb70e1c4/
|
# http://sourceforge.net/p/opencryptoki/opencryptoki/ci/b50eb39e3cf8ccfdb735fbddfcdae10bdb70e1c4/
|
||||||
Patch3: opencryptoki-3.0-opencryptoki-man.patch
|
Patch3: %{name}-3.0-opencryptoki-man.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1033284
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1033284
|
||||||
# post-3.0 upstream fixes
|
# post-3.0 upstream fixes
|
||||||
Patch4: opencryptoki-3.0-bz1033284.patch
|
Patch4: %{name}-3.0-bz1033284.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1037228
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1037228
|
||||||
Patch5: opencryptoki-3.0-format.patch
|
Patch5: %{name}-3.0-format.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1054661
|
||||||
|
Patch6: %{name}-3.0-bz1054661.patch
|
||||||
Requires(pre): shadow-utils coreutils sed
|
Requires(pre): shadow-utils coreutils sed
|
||||||
BuildRequires: openssl-devel
|
BuildRequires: openssl-devel
|
||||||
BuildRequires: trousers-devel
|
BuildRequires: trousers-devel
|
||||||
@ -170,10 +172,23 @@ cryptographic hardware such as IBM 4764 or 4765 that uses the
|
|||||||
%patch3 -p1 -b .opencryptoki-man
|
%patch3 -p1 -b .opencryptoki-man
|
||||||
%patch4 -p1 -b .bz1033284
|
%patch4 -p1 -b .bz1033284
|
||||||
%patch5 -p1 -b .format
|
%patch5 -p1 -b .format
|
||||||
|
%patch6 -p1 -b .bz1054661
|
||||||
|
|
||||||
# Upstream tarball has unnecessary executable perms set on the sources
|
# Upstream tarball has unnecessary executable perms set on the sources
|
||||||
find . -name '*.[ch]' -print0 | xargs -0 chmod -x
|
find . -name '*.[ch]' -print0 | xargs -0 chmod -x
|
||||||
|
|
||||||
|
# append token specific subdirs to tmpfiles.d config
|
||||||
|
token_subdirs="icsf swtok tpm"
|
||||||
|
%ifarch s390 s390x
|
||||||
|
token_subdirs="$token_subdirs lite cca"
|
||||||
|
%endif
|
||||||
|
|
||||||
|
cp -p %{SOURCE1} %{name}-tmpfiles.conf
|
||||||
|
for d in $token_subdirs
|
||||||
|
do
|
||||||
|
echo "D /var/lock/opencryptoki/$d 0770 root pkcs11 -" >> %{name}-tmpfiles.conf
|
||||||
|
done
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
./bootstrap.sh
|
./bootstrap.sh
|
||||||
@ -197,7 +212,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/stdll/*.la
|
|||||||
|
|
||||||
# systemd must create /var/lock/opencryptoki
|
# systemd must create /var/lock/opencryptoki
|
||||||
mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d
|
mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d
|
||||||
install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/%{name}.conf
|
install -m 0644 %{name}-tmpfiles.conf $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/%{name}.conf
|
||||||
|
|
||||||
|
|
||||||
%post libs -p /sbin/ldconfig
|
%post libs -p /sbin/ldconfig
|
||||||
@ -218,7 +233,7 @@ install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/%{name}.conf
|
|||||||
%postun ccatok -p /sbin/ldconfig
|
%postun ccatok -p /sbin/ldconfig
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%pre
|
%pre libs
|
||||||
getent group pkcs11 >/dev/null || groupadd -r pkcs11
|
getent group pkcs11 >/dev/null || groupadd -r pkcs11
|
||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
@ -250,6 +265,7 @@ exit 0
|
|||||||
%{_libdir}/pkcs11/methods
|
%{_libdir}/pkcs11/methods
|
||||||
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}
|
||||||
%dir %attr(770,root,pkcs11) %{_localstatedir}/lock/%{name}
|
%dir %attr(770,root,pkcs11) %{_localstatedir}/lock/%{name}
|
||||||
|
%dir %attr(770,root,pkcs11) %{_localstatedir}/lock/%{name}/*
|
||||||
|
|
||||||
%files libs
|
%files libs
|
||||||
%doc LICENSE
|
%doc LICENSE
|
||||||
@ -258,7 +274,7 @@ exit 0
|
|||||||
# needs them in the main package, because:
|
# needs them in the main package, because:
|
||||||
# pkcs11_startup looks for opencryptoki/stdll/*.so, and
|
# pkcs11_startup looks for opencryptoki/stdll/*.so, and
|
||||||
# documentation suggests that programs should dlopen "PKCS11_API.so".
|
# documentation suggests that programs should dlopen "PKCS11_API.so".
|
||||||
%dir %{_libdir}/opencryptoki
|
%dir %{_libdir}/opencryptoki/
|
||||||
%{_libdir}/opencryptoki/libopencryptoki.*
|
%{_libdir}/opencryptoki/libopencryptoki.*
|
||||||
%{_libdir}/opencryptoki/PKCS11_API.so
|
%{_libdir}/opencryptoki/PKCS11_API.so
|
||||||
%dir %{_libdir}/opencryptoki/stdll
|
%dir %{_libdir}/opencryptoki/stdll
|
||||||
@ -273,11 +289,14 @@ exit 0
|
|||||||
%files swtok
|
%files swtok
|
||||||
%{_libdir}/opencryptoki/stdll/libpkcs11_sw.*
|
%{_libdir}/opencryptoki/stdll/libpkcs11_sw.*
|
||||||
%{_libdir}/opencryptoki/stdll/PKCS11_SW.so
|
%{_libdir}/opencryptoki/stdll/PKCS11_SW.so
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/
|
||||||
|
|
||||||
%files tpmtok
|
%files tpmtok
|
||||||
%doc doc/README.tpm_stdll
|
%doc doc/README.tpm_stdll
|
||||||
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.*
|
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.*
|
||||||
%{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
|
%{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/
|
||||||
|
|
||||||
%files icsftok
|
%files icsftok
|
||||||
%doc doc/README.icsf_stdll
|
%doc doc/README.icsf_stdll
|
||||||
@ -285,21 +304,31 @@ exit 0
|
|||||||
%{_mandir}/man1/pkcsicsf.1*
|
%{_mandir}/man1/pkcsicsf.1*
|
||||||
%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.*
|
%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.*
|
||||||
%{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so
|
%{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/
|
||||||
|
|
||||||
%ifarch s390 s390x
|
%ifarch s390 s390x
|
||||||
%files icatok
|
%files icatok
|
||||||
%{_libdir}/opencryptoki/stdll/libpkcs11_ica.*
|
%{_libdir}/opencryptoki/stdll/libpkcs11_ica.*
|
||||||
%{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
|
%{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/
|
||||||
|
|
||||||
%files ccatok
|
%files ccatok
|
||||||
%doc doc/README-IBM_CCA_users
|
%doc doc/README-IBM_CCA_users
|
||||||
%doc doc/README.cca_stdll
|
%doc doc/README.cca_stdll
|
||||||
%{_libdir}/opencryptoki/stdll/libpkcs11_cca.*
|
%{_libdir}/opencryptoki/stdll/libpkcs11_cca.*
|
||||||
%{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
|
%{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Jan 20 2014 Dan Horák <dan[at]danny.cz> - 3.0-8
|
||||||
|
- include token specific directories (#1013017, #1045775, #1054442)
|
||||||
|
- fix pkcsconf crash for non-root users (#10054661)
|
||||||
|
- the libs subpackage must care of creating the pkcs11 group, it's the first to be installed
|
||||||
|
|
||||||
* Tue Dec 03 2013 Dan Horák <dan[at]danny.cz> - 3.0-7
|
* Tue Dec 03 2013 Dan Horák <dan[at]danny.cz> - 3.0-7
|
||||||
- fix build with -Werror=format-security (#1037228)
|
- fix build with -Werror=format-security (#1037228)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user