On Wed, 2016-02-03 at 11:21 +0100, Thomas Haller wrote:
On Wed, 2016-02-03 at 10:40 +0100, Matthias Berndt wrote:Hi Thomas,Hi Matthias, (CC-ing mailing list)I didn't look at it very closely, but I'd suggest using more conservative permissions for the certificate files. The current code leads to warnings in the log files: WARNING: file '/home/mberndt/.cert/client-key.pem' is group or others accessible WARNING: file '/home/mberndt/.cert/test-client-ta.pem' is group or others accessibleI actually did that in a first version of the patches. But then I thought, the import code is run by $USER, putting the files to ~$USER/.certs. The openvpn process is run as nm-openvpn:nm-openvpn (or root:root -- depending whether chroot succeeds). I don't think we can restrict the file permissions there. ... which really shows how inherently broken it is to handle certificates in files (client-side). What is your suggestion?
Ok, I tested it. openvpn reads the files ~before~ setuid. So it actually works. Added a patch "properties: fix permissions of imported certificates to be user-readable only" worked for me still with dropping privileges. Thomas
Attachment:
signature.asc
Description: This is a digitally signed message part