Bug#860903: Current setup causes breakage when trying to use apt with pkcs11
Andreas Metzler
ametzler at bebt.de
Fri Apr 21 17:36:45 UTC 2017
On 2017-04-21 Marga Manterola <marga at google.com> wrote:
> On Fri, Apr 21, 2017 at 7:10 PM Andreas Metzler <ametzler at bebt.de> wrote:
[...]
>>> /etc/pkcs11 directory looks like this:
>>> $ ls -ld /etc/pkcs11 /etc/pkcs11/
>>> lrwxrwxrwx 1 root root 21 Jan 3 14:14 /etc/pkcs11 ->
>>> /var/lib/opencryptoki
>>> drwxrwx--- 8 root pkcs11 4096 Apr 21 10:33 /etc/pkcs11/
[...]
>> Isn't this where the actual breakage is located? Afaik /etc should
>> contain configuration files, not symlinks to unreadable empty
>> directories. O are there special mitigating circumstances?
> This is how the opencryptoki package is shipped:
> http://sources.debian.net/src/opencryptoki/2.3.1%2Bdfsg-3/usr/lib/pkcs11/api/Makefile.am/?hl=47#L47
I know, I doublechecked, I was wondering about your opinion. ;-)
> To be honest, I'm not sure if this is breaking policy or not.
> https://www.debian.org/doc/debian-policy/ch-files.html#s-config-files seems
> to say that symlinking is not ideal but possible. Doesn't talk about the
> permissions. It *is* possible to have files in /etc/ that are not world
> readable
Policy allows symlinks pointing *to* files in /etc as workaround, not
the other way round.
> Regardless of this, I see no reason why p11-kit should be ok with the file
> not existing but not ok with it not being readable by the current process.
I will forward upstream.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-gnutls-maint
mailing list