Bug 1087926

Summary: file permissions of pkcs11.txt/secmod.db must be kept when modified by NSS
Product: Red Hat Enterprise Linux 7 Reporter: Hubert Kario <hkario>
Component: nss-utilAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED ERRATA QA Contact: Hubert Kario <hkario>
Severity: high Docs Contact:
Priority: urgent    
Version: 7.1CC: djasa, emaldona, eparis, hkario, jkurik, kengert, ksrot, mcrha, qe-baseos-security, rrelyea, sforsber, tlavigne
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: NSS changed the permissions of the existing pkcs11.txt file, reverting to the strict default of 0600, even when the file previously had other permissions. Consequence: This prevented users from adding security modules to their own configuration which is accomplished via acces to the system-wide security databases. If the user has root access the system database is modified otherwise the user's own default database is the one that is modified. Fix: NSS now keeps the strict default 0600 permissions for new files while preserving the existing permissions when replacing an existing pkcs11.txt file. Result: Users can now make the necessary modifications to the nss security module database.
 Story Points: ---
Clone Of: 990631 Environment:
Last Closed: 2015-03-05 08:27:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 990631    
Bug Blocks: 993793, 1002222, 1086308    

Comment 2 Bob Relyea 2014-04-22 21:39:04 UTC 
I agree this should be 7.1 or 7.0z
Comment 15 errata-xmlrpc 2015-03-05 08:27:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0364.html