Bug 1478172 - [PATCH] update-ca-trust: Use P11_KIT_NO_USER_CONFIG
[PATCH] update-ca-trust: Use P11_KIT_NO_USER_CONFIG
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: ca-certificates (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Kai Engert (:kaie)
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-03 15:27 EDT by Colin Walters
Modified: 2017-08-15 10:11 EDT (History)
6 users (show)

See Also:
Fixed In Version: ca-certificates-2017.2.16-4.fc27
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-15 10:11:34 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
[PATCH] update-ca-trust: Use P11_KIT_NO_USER_CONFIG (3.13 KB, patch)
2017-08-03 15:27 EDT, Colin Walters
kengert: review? (kengert)
Details | Diff

  None (edit)
Description Colin Walters 2017-08-03 15:27:00 EDT
From 63145aca6a469dc030e6f9ac0327e931ac2dfc22 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 3 Aug 2017 15:24:33 -0400
Subject: [PATCH] update-ca-trust: Use P11_KIT_NO_USER_CONFIG

See: https://github.com/p11-glue/p11-kit/pull/87

Currently `ca-certificates.spec` in Fedora ends up doing in `%post`:
```
/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
```
etc.

And due to this bit of code in p11-kit, we end up looking for the home directory
for configuration. In "traditional" dnf/yum, that'd be `/root`.

It's categorically wrong to do this; the root user is distinct from "the
system". This issue is equivalent to one I fixed in Pango:
https://git.gnome.org/browse/pango/commit/?id=aecbe27c1b08f517c0e05f03308d3ac55cef490c

Fast forward to today, and the reason I'm making this change is I'm working on
`rpm-ostree ex container`, which builds containers as *non-root* (like
gnome-continuous does, but now with RPMs), keeping the invoking uid. And this
bug causes the `ca-certificates` `%post` to fail because it's trying to look for
my uid 1000 which doesn't exist in the target rootfs' password database.

Again, there's no reason to be looking for a home directory for system triggers,
regadless of UID, so once this patch lands, I'll update `ca-certificates` to use
it, and traditional RPM `%post` will stop looking in `/root` too.
---
 update-ca-trust | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/update-ca-trust b/update-ca-trust
index d65f248..c477062 100644
--- a/update-ca-trust
+++ b/update-ca-trust
@@ -11,8 +11,12 @@ DEST=/etc/pki/ca-trust/extracted
 
 # OpenSSL PEM bundle that includes trust flags
 # (BEGIN TRUSTED CERTIFICATE)
-/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
-/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
+p11_extract() {
+    # https://github.com/p11-glue/p11-kit/pull/87
+    env P11_KIT_NO_USER_CONFIG=1 /usr/bin/p11-kit extract "$@"
+}
+p11_extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
+p11_extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
+p11_extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
+p11_extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
+p11_extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
-- 
2.13.3
Comment 1 Colin Walters 2017-08-03 15:27 EDT
Created attachment 1308863 [details]
[PATCH] update-ca-trust: Use P11_KIT_NO_USER_CONFIG
Comment 2 Jan Kurik 2017-08-15 04:14:40 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 3 Kai Engert (:kaie) 2017-08-15 07:13:22 EDT
If I understand your report correctly, p11-kit attempts to read a configuration file stored in the effective user's home directory.

You have changed p11-kit to support an environment variables that prevents it from doing so, and you are suggesting that the ca-certificates package sets this variable when running p11-kit.
Comment 4 Kai Engert (:kaie) 2017-08-15 07:27:35 EDT
Daiki, Stef, can you think of any reason why "p11-kit extract" would require access to the root user's p11-kit configuration file?

If I understand correctly, we're talking about the pkcs11.conf, and I guess a user could use it to configure additional pkcs11 modules.

In theory, someone could have configured a pkcs#11 module that contains root CAs. I don't know if that could have resulted in additional root CAs (those from the additional pkcs#11 modules) to be added into the exported bundle files. With the suggested change from here, the CAs from such additional pkcs#11 modules would be excluded.

This seems to be a rather exotic configuration. I'm OK to disable the config file reading, and hope that nobody will report a regression.

Regarding the suggested patch, I think it should be fine to set the environment variable just once in the update-ca-trust script.
Comment 5 Kai Engert (:kaie) 2017-08-15 07:41:41 EDT
The env var seems to be introduced with p11-kit 0.23.8 which hasn't been packaged for rawhide yet. Should I bump the package version requirement, and wait until the updated p11-kit package is available?
Comment 6 Colin Walters 2017-08-15 09:02:23 EDT
I think it's fine to apply the patch now, and not to add a hard version requirement; the variable will simply do nothing with earlier versions of p11-kit.

Note You need to log in before you can comment on or make changes to this bug.