Bug#860903: Current setup causes breakage when trying to use apt with pkcs11
Marga Manterola
marga at google.com
Fri Apr 21 14:48:44 UTC 2017
Package: libp11-kit0
Version: 0.23.3-2
Severity: important
In my setup I have opencryptoki installed (because it's a dependency of
tpm-tools, not because I actually need opencryptoki). This means that the
/etc/pkcs11 directory looks like this:
$ ls -ld /etc/pkcs11 /etc/pkcs11/
lrwxrwxrwx 1 root root 21 Jan 3 14:14 /etc/pkcs11 ->
/var/lib/opencryptoki
drwxrwx--- 8 root pkcs11 4096 Apr 21 10:33 /etc/pkcs11/
I also have an apt configuration that is pointing apt to use a pkcs11
provider.
When doing the actual https run, apt runs with the user "_apt" and group
"nogroup". This means that apt has no permission to access the /etc/pkcs11
directory as shipped by opencryptoki.
So, this happens:
p11-kit: couldn't open config file: /etc/pkcs11/pkcs11.conf: Permission
denied
The workaround is to change the permissions of the directory to add world
execution:
sudo chmod o+x /etc/pkcs11
While this is ok as a workaround, it seems rather silly that libp11-kit
works fine when the file doesn't exist (there's no pkcs11.conf inside
/etc/pkcs11), but not when it can't access it. This is rooted in this line:
http://sources.debian.net/src/p11-kit/0.23.3-2/p11-kit/conf.c/?hl=201#L220
config = _p11_conf_parse_file (system_conf, NULL, CONF_IGNORE_MISSING);
Making this change would fix the issue:
config = _p11_conf_parse_file (system_conf, NULL, CONF_IGNORE_MISSING |
CONF_IGNORE_ACCESS_DENIED);
--
Cheers,
Marga
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20170421/30357dcf/attachment.html>
More information about the Pkg-gnutls-maint
mailing list