49048 – Partimage 0.6.4 gives incorrect SSL permissions

Bug 49048 - Partimage 0.6.4 gives incorrect SSL permissions

Summary: Partimage 0.6.4 gives incorrect SSL permissions

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Robin Johnson

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-04-26 10:37 UTC by Robert Paskowitz (RETIRED)
Modified:	2004-05-14 00:10 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Paskowitz (RETIRED) gentoo-dev

2004-04-26 10:37:00 UTC

The new ebuild for partimaged sets some permissions on ebuild config incorrectly.

The partimaged.cert must have 0600 permissions, and be owned by at least partimag:root, as with the partimaged.key file.

Comment 1 Robin Johnson archtester

2004-04-28 02:01:30 UTC

partimaged.cert contains NOTHING private, therefore does not need to be 0600.
i don't want partimaged to be able to change it's cert, so owned by root:root is correct.

Comment 2 Robert Paskowitz (RETIRED) gentoo-dev

2004-04-28 05:29:50 UTC

I a not questioning your motives but am rather questioning what works. Below is all combinations of 600 644 root:root partimag:root... At first it it 644 and partimag:root, then 644 with root:root, then 600 with root:root and finally, 600 with partimag:root :


confucius partimaged # ls -l partimaged.cert
-rw-------    1 partimag root         3498 Apr 26 13:31 partimaged.cert
confucius partimaged # chmod 644 partimaged.cert
confucius partimaged # partimaged
error when verifying /etc/partimaged/partimaged.cert, check logfile for help
logfile is /var/log/partimaged.log
if you don't have logfile, use partimaged --debug=1
confucius partimaged # chown root:root partimaged.cert
confucius partimaged # partimaged
error when verifying /etc/partimaged/partimaged.cert, check logfile for help
logfile is /var/log/partimaged.log
if you don't have logfile, use partimaged --debug=1
confucius partimaged # chmod 600 partimaged.cert
confucius partimaged # partimaged
27351:error:0200100D:system library:fopen:Permission denied:bss_file.c:276:fopen('/etc/partimaged/partimaged.cert','r')
27351:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:278:
27351:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib:ssl_rsa.c:515:
confucius partimaged # chown partimag:root partimaged.cert
confucius partimaged # partimaged         <- Now it runs

Comment 3 Robin Johnson archtester

2004-05-12 21:14:23 UTC

looking at upstream's code, it's a definate bug in their work.
i'll look at a fix.

Comment 4 Robin Johnson archtester

2004-05-14 00:10:18 UTC

ok, i've disabled partimage's stupid checks for permissions.
it doesn't need them as they are, and it's more secure with it properly configured by the ebuild.
should a hole ever be found, we'll be better protected.

and i tested it this time as well, with the user login and SSL functionality and it works 100%.