On Wed, 2016-02-03 at 10:40 +0100, Matthias Berndt wrote:
Hi Thomas,
Hi Matthias, (CC-ing mailing list)
I didn't look at it very closely, but I'd suggest using more conservative permissions for the certificate files. The current code leads to warnings in the log files: WARNING: file '/home/mberndt/.cert/client-key.pem' is group or others accessible WARNING: file '/home/mberndt/.cert/test-client-ta.pem' is group or others accessible
I actually did that in a first version of the patches. But then I thought, the import code is run by $USER, putting the files to ~$USER/.certs. The openvpn process is run as nm-openvpn:nm-openvpn (or root:root -- depending whether chroot succeeds). I don't think we can restrict the file permissions there. ... which really shows how inherently broken it is to handle certificates in files (client-side). What is your suggestion? Thomas
Cheers, MatthiasGesendet: Freitag, 29. Januar 2016 um 14:55 Uhr Von: "Thomas Haller" <thaller redhat com> An: "Matthias Berndt" <Matthias_Berndt gmx de>, networkmanager-list @gnome.org Betreff: Re: [PATCH] simplify blob handling On Tue, 2016-01-26 at 22:57 +0100, Matthias Berndt wrote:Hi, here's the patch to simplify blob handling. Cheers, MatthiasHey Matthias, after merging your patch, I reworked the import code more. https://git.gnome.org/browse/network-manager-openvpn/log/?h=th/ovpn -import-bgo761285 https://bugzilla.gnome.org/show_bug.cgi?id=761285 It's currently on review, but I think this branch should eventually get merged. Just in case you wanted to do another cleanup. Or would be interested in testing/reviewing it... ciao, Thomas
Attachment:
signature.asc
Description: This is a digitally signed message part