49048 2004-04-26 10:37 0000 Partimage 0.6.4 gives incorrect SSL permissions 2004-05-14 00:10:18 0000 1 1 1 Unclassified Gentoo Linux Ebuilds unspecified All Linux RESOLVED FIXED P2 normal --- 1 r2d2@gentoo.org robbat2@gentoo.org r2d2@gentoo.org 2004-04-26 10:37:00 0000 The new ebuild for partimaged sets some permissions on ebuild config incorrectly. The partimaged.cert must have 0600 permissions, and be owned by at least partimag:root, as with the partimaged.key file. robbat2@gentoo.org 2004-04-28 02:01:30 0000 partimaged.cert contains NOTHING private, therefore does not need to be 0600. i don't want partimaged to be able to change it's cert, so owned by root:root is correct. r2d2@gentoo.org 2004-04-28 05:29:50 0000 I a not questioning your motives but am rather questioning what works. Below is all combinations of 600 644 root:root partimag:root... At first it it 644 and partimag:root, then 644 with root:root, then 600 with root:root and finally, 600 with partimag:root : confucius partimaged # ls -l partimaged.cert -rw------- 1 partimag root 3498 Apr 26 13:31 partimaged.cert confucius partimaged # chmod 644 partimaged.cert confucius partimaged # partimaged error when verifying /etc/partimaged/partimaged.cert, check logfile for help logfile is /var/log/partimaged.log if you don't have logfile, use partimaged --debug=1 confucius partimaged # chown root:root partimaged.cert confucius partimaged # partimaged error when verifying /etc/partimaged/partimaged.cert, check logfile for help logfile is /var/log/partimaged.log if you don't have logfile, use partimaged --debug=1 confucius partimaged # chmod 600 partimaged.cert confucius partimaged # partimaged 27351:error:0200100D:system library:fopen:Permission denied:bss_file.c:276:fopen('/etc/partimaged/partimaged.cert','r') 27351:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:278: 27351:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib:ssl_rsa.c:515: confucius partimaged # chown partimag:root partimaged.cert confucius partimaged # partimaged <- Now it runs robbat2@gentoo.org 2004-05-12 21:14:23 0000 looking at upstream's code, it's a definate bug in their work. i'll look at a fix. robbat2@gentoo.org 2004-05-14 00:10:18 0000 ok, i've disabled partimage's stupid checks for permissions. it doesn't need them as they are, and it's more secure with it properly configured by the ebuild. should a hole ever be found, we'll be better protected. and i tested it this time as well, with the user login and SSL functionality and it works 100%.