Re: [PATCH] simplify blob handling

From: Dan Williams <dcbw redhat com>
To: Thomas Haller <thaller redhat com>, Matthias Berndt <Matthias_Berndt gmx de>
Cc: networkmanager-list gnome org
Subject: Re: [PATCH] simplify blob handling
Date: Wed, 03 Feb 2016 09:50:02 -0600

On Wed, 2016-02-03 at 11:21 +0100, Thomas Haller wrote:

On Wed, 2016-02-03 at 10:40 +0100, Matthias Berndt wrote:

Hi Thomas,


Hi Matthias,

(CC-ing mailing list)


I didn't look at it very closely, but I'd suggest using more
conservative 
permissions for the certificate files. The current code leads to
warnings
in the log files:
WARNING: file '/home/mberndt/.cert/client-key.pem' is group or
others
accessible
WARNING: file '/home/mberndt/.cert/test-client-ta.pem' is group or
others accessible


I actually did that in a first version of the patches.

But then I thought, the import code is run by $USER, putting the
files
to ~$USER/.certs.

The openvpn process is run as nm-openvpn:nm-openvpn (or root:root --
depending whether chroot succeeds). I don't think we can restrict the
file permissions there.

... which really shows how inherently broken it is to handle
certificates in files (client-side).


Yeah, it can be broken as root should not necessarily be able to read
normal user files; more of a problem if/when openvpn drops permissions
too.

What is your suggestion?


PKCS#11, URIs, and a certificate store :)  Alternatively the
certificates could be made "secret" in the VPN data and then retrieved
from the secret agent in the user session, but it's much better to just
use a certificate store.

Dan

Thomas


Cheers,
Matthias

Gesendet: Freitag, 29. Januar 2016 um 14:55 Uhr
Von: "Thomas Haller" <thaller redhat com>
An: "Matthias Berndt" <Matthias_Berndt gmx de>, networkmanager
-list
@gnome.org
Betreff: Re: [PATCH] simplify blob handling

On Tue, 2016-01-26 at 22:57 +0100, Matthias Berndt wrote:

Hi,

here's the patch to simplify blob handling.

Cheers,
Matthias


Hey Matthias,

after merging your patch, I reworked the import code more.

https://git.gnome.org/browse/network-manager-openvpn/log/?h=th/ov
pn
-import-bgo761285
https://bugzilla.gnome.org/show_bug.cgi?id=761285

It's currently on review, but I think this branch should
eventually
get
merged.


Just in case you wanted to do another cleanup. Or would be
interested
in testing/reviewing it...


ciao,

_______________________________________________
networkmanager-list mailing list
networkmanager-list gnome org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

References:
- Re: [PATCH] simplify blob handling
  - From: Thomas Haller

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]