Re: [PATCH] simplify blob handling

On Wed, 2016-02-03 at 11:21 +0100, Thomas Haller wrote:
On Wed, 2016-02-03 at 10:40 +0100, Matthias Berndt wrote:
Hi Thomas,

Hi Matthias,

(CC-ing mailing list)

I didn't look at it very closely, but I'd suggest using more
permissions for the certificate files. The current code leads to
in the log files:
WARNING: file '/home/mberndt/.cert/client-key.pem' is group or
WARNING: file '/home/mberndt/.cert/test-client-ta.pem' is group or
others accessible

I actually did that in a first version of the patches.

But then I thought, the import code is run by $USER, putting the
to ~$USER/.certs.

The openvpn process is run as nm-openvpn:nm-openvpn (or root:root --
depending whether chroot succeeds). I don't think we can restrict the
file permissions there.

... which really shows how inherently broken it is to handle
certificates in files (client-side).

What is your suggestion?

Ok, I tested it. openvpn reads the files ~before~ setuid. So it
actually works.

Added a patch
  "properties: fix permissions of imported certificates to be user-readable only"

worked for me still with dropping privileges.


Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]