Bug 49048 - Partimage 0.6.4 gives incorrect SSL permissions
Bug#: 49048 Product:  Gentoo Linux Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: robbat2@gentoo.org Reported By: r2d2@gentoo.org
Component: Ebuilds
URL: 
Summary: Partimage 0.6.4 gives incorrect SSL permissions
Keywords:  
Status Whiteboard: 
Opened: 2004-04-26 10:37 0000
Description:   Opened: 2004-04-26 10:37 0000 
The new ebuild for partimaged sets some permissions on ebuild config
incorrectly.

The partimaged.cert must have 0600 permissions, and be owned by at least
partimag:root, as with the partimaged.key file.

------- Comment #1 From Robin Johnson 2004-04-28 02:01:30 0000 ------- 
partimaged.cert contains NOTHING private, therefore does not need to be 0600.
i don't want partimaged to be able to change it's cert, so owned by root:root is correct.

------- Comment #2 From Robert Paskowitz (RETIRED) 2004-04-28 05:29:50 0000 ------- 
I a not questioning your motives but am rather questioning what works. Below is
all combinations of 600 644 root:root partimag:root... At first it it 644 and
partimag:root, then 644 with root:root, then 600 with root:root and finally,
600 with partimag:root :


confucius partimaged # ls -l partimaged.cert
-rw-------    1 partimag root         3498 Apr 26 13:31 partimaged.cert
confucius partimaged # chmod 644 partimaged.cert
confucius partimaged # partimaged
error when verifying /etc/partimaged/partimaged.cert, check logfile for help
logfile is /var/log/partimaged.log
if you don't have logfile, use partimaged --debug=1
confucius partimaged # chown root:root partimaged.cert
confucius partimaged # partimaged
error when verifying /etc/partimaged/partimaged.cert, check logfile for help
logfile is /var/log/partimaged.log
if you don't have logfile, use partimaged --debug=1
confucius partimaged # chmod 600 partimaged.cert
confucius partimaged # partimaged
27351:error:0200100D:system library:fopen:Permission
denied:bss_file.c:276:fopen('/etc/partimaged/partimaged.cert','r')
27351:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:278:
27351:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system
lib:ssl_rsa.c:515:
confucius partimaged # chown partimag:root partimaged.cert
confucius partimaged # partimaged         <- Now it runs

------- Comment #3 From Robin Johnson 2004-05-12 21:14:23 0000 ------- 
looking at upstream's code, it's a definate bug in their work.
i'll look at a fix.

------- Comment #4 From Robin Johnson 2004-05-14 00:10:18 0000 ------- 
ok, i've disabled partimage's stupid checks for permissions.
it doesn't need them as they are, and it's more secure with it properly configured by the ebuild.
should a hole ever be found, we'll be better protected.

and i tested it this time as well, with the user login and SSL functionality and it works 100%.