Bug#860903: Current setup causes breakage when trying to use apt with pkcs11
Marga Manterola
marga at google.com
Fri Apr 21 17:28:06 UTC 2017
Hi,
On Fri, Apr 21, 2017 at 7:10 PM Andreas Metzler <ametzler at bebt.de> wrote:
> > In my setup I have opencryptoki installed (because it's a dependency of
> > tpm-tools, not because I actually need opencryptoki). This means that
> the
> > /etc/pkcs11 directory looks like this:
>
> > $ ls -ld /etc/pkcs11 /etc/pkcs11/
> > lrwxrwxrwx 1 root root 21 Jan 3 14:14 /etc/pkcs11 ->
> > /var/lib/opencryptoki
> > drwxrwx--- 8 root pkcs11 4096 Apr 21 10:33 /etc/pkcs11/
> [...]
>
> Isn't this where the actual breakage is located? Afaik /etc should
> contain configuration files, not symlinks to unreadable empty
> directories. O are there special mitigating circumstances?
>
This is how the opencryptoki package is shipped:
http://sources.debian.net/src/opencryptoki/2.3.1%2Bdfsg-3/usr/lib/pkcs11/api/Makefile.am/?hl=47#L47
To be honest, I'm not sure if this is breaking policy or not.
https://www.debian.org/doc/debian-policy/ch-files.html#s-config-files seems
to say that symlinking is not ideal but possible. Doesn't talk about the
permissions. It *is* possible to have files in /etc/ that are not world
readable
Regardless of this, I see no reason why p11-kit should be ok with the file
not existing but not ok with it not being readable by the current process.
--
Cheers,
Marga
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20170421/b6dc5b4e/attachment.html>
More information about the Pkg-gnutls-maint
mailing list