Bug 1478172

Summary: [PATCH] update-ca-trust: Use P11_KIT_NO_USER_CONFIG
Product: [Fedora] Fedora Reporter: Colin Walters <walters>
Component: ca-certificatesAssignee: Kai Engert (:kaie) (inactive account) <kengert>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dueno, jorton, kengert, pwouters, stefw, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ca-certificates-2017.2.16-4.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-15 14:11:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
[PATCH] update-ca-trust: Use P11_KIT_NO_USER_CONFIG none

Description Colin Walters 2017-08-03 19:27:00 UTC 
From 63145aca6a469dc030e6f9ac0327e931ac2dfc22 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters>
Date: Thu, 3 Aug 2017 15:24:33 -0400
Subject: [PATCH] update-ca-trust: Use P11_KIT_NO_USER_CONFIG

See: https://github.com/p11-glue/p11-kit/pull/87

Currently `ca-certificates.spec` in Fedora ends up doing in `%post`:
```
/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
```
etc.

And due to this bit of code in p11-kit, we end up looking for the home directory
for configuration. In "traditional" dnf/yum, that'd be `/root`.

It's categorically wrong to do this; the root user is distinct from "the
system". This issue is equivalent to one I fixed in Pango:
https://git.gnome.org/browse/pango/commit/?id=aecbe27c1b08f517c0e05f03308d3ac55cef490c

Fast forward to today, and the reason I'm making this change is I'm working on
`rpm-ostree ex container`, which builds containers as *non-root* (like
gnome-continuous does, but now with RPMs), keeping the invoking uid. And this
bug causes the `ca-certificates` `%post` to fail because it's trying to look for
my uid 1000 which doesn't exist in the target rootfs' password database.

Again, there's no reason to be looking for a home directory for system triggers,
regadless of UID, so once this patch lands, I'll update `ca-certificates` to use
it, and traditional RPM `%post` will stop looking in `/root` too.
---
 update-ca-trust | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/update-ca-trust b/update-ca-trust
index d65f248..c477062 100644
--- a/update-ca-trust
+++ b/update-ca-trust
@@ -11,8 +11,12 @@ DEST=/etc/pki/ca-trust/extracted
 
 # OpenSSL PEM bundle that includes trust flags
 # (BEGIN TRUSTED CERTIFICATE)
-/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
-/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
+p11_extract() {
+    # https://github.com/p11-glue/p11-kit/pull/87
+    env P11_KIT_NO_USER_CONFIG=1 /usr/bin/p11-kit extract "$@"
+}
+p11_extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
+p11_extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
+p11_extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
+p11_extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
+p11_extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
-- 
2.13.3
Comment 1 Colin Walters 2017-08-03 19:27:30 UTC 
Created attachment 1308863 [details]
[PATCH] update-ca-trust: Use P11_KIT_NO_USER_CONFIG
Comment 2 Jan Kurik 2017-08-15 08:14:40 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 3 Kai Engert (:kaie) (inactive account) 2017-08-15 11:13:22 UTC 
If I understand your report correctly, p11-kit attempts to read a configuration file stored in the effective user's home directory.

You have changed p11-kit to support an environment variables that prevents it from doing so, and you are suggesting that the ca-certificates package sets this variable when running p11-kit.
Comment 4 Kai Engert (:kaie) (inactive account) 2017-08-15 11:27:35 UTC 
Daiki, Stef, can you think of any reason why "p11-kit extract" would require access to the root user's p11-kit configuration file?

If I understand correctly, we're talking about the pkcs11.conf, and I guess a user could use it to configure additional pkcs11 modules.

In theory, someone could have configured a pkcs#11 module that contains root CAs. I don't know if that could have resulted in additional root CAs (those from the additional pkcs#11 modules) to be added into the exported bundle files. With the suggested change from here, the CAs from such additional pkcs#11 modules would be excluded.

This seems to be a rather exotic configuration. I'm OK to disable the config file reading, and hope that nobody will report a regression.

Regarding the suggested patch, I think it should be fine to set the environment variable just once in the update-ca-trust script.
Comment 5 Kai Engert (:kaie) (inactive account) 2017-08-15 11:41:41 UTC 
The env var seems to be introduced with p11-kit 0.23.8 which hasn't been packaged for rawhide yet. Should I bump the package version requirement, and wait until the updated p11-kit package is available?
Comment 6 Colin Walters 2017-08-15 13:02:23 UTC 
I think it's fine to apply the patch now, and not to add a hard version requirement; the variable will simply do nothing with earlier versions of p11-kit.
Comment 7 Kai Engert (:kaie) (inactive account) 2017-08-15 14:11:34 UTC 
http://pkgs.fedoraproject.org/rpms/ca-certificates/c/7a69d0d22f938bbda43ea50389254fe47cb0eb1e?branch=master

https://koji.fedoraproject.org/koji/taskinfo?taskID=21242967