Red Hat Bugzilla – Bug 1478172
[PATCH] update-ca-trust: Use P11_KIT_NO_USER_CONFIG
Last modified: 2017-08-15 10:11:34 EDT
From 63145aca6a469dc030e6f9ac0327e931ac2dfc22 Mon Sep 17 00:00:00 2001 From: Colin Walters <walters@verbum.org> Date: Thu, 3 Aug 2017 15:24:33 -0400 Subject: [PATCH] update-ca-trust: Use P11_KIT_NO_USER_CONFIG See: https://github.com/p11-glue/p11-kit/pull/87 Currently `ca-certificates.spec` in Fedora ends up doing in `%post`: ``` /usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt ``` etc. And due to this bit of code in p11-kit, we end up looking for the home directory for configuration. In "traditional" dnf/yum, that'd be `/root`. It's categorically wrong to do this; the root user is distinct from "the system". This issue is equivalent to one I fixed in Pango: https://git.gnome.org/browse/pango/commit/?id=aecbe27c1b08f517c0e05f03308d3ac55cef490c Fast forward to today, and the reason I'm making this change is I'm working on `rpm-ostree ex container`, which builds containers as *non-root* (like gnome-continuous does, but now with RPMs), keeping the invoking uid. And this bug causes the `ca-certificates` `%post` to fail because it's trying to look for my uid 1000 which doesn't exist in the target rootfs' password database. Again, there's no reason to be looking for a home directory for system triggers, regadless of UID, so once this patch lands, I'll update `ca-certificates` to use it, and traditional RPM `%post` will stop looking in `/root` too. --- update-ca-trust | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/update-ca-trust b/update-ca-trust index d65f248..c477062 100644 --- a/update-ca-trust +++ b/update-ca-trust @@ -11,8 +11,12 @@ DEST=/etc/pki/ca-trust/extracted # OpenSSL PEM bundle that includes trust flags # (BEGIN TRUSTED CERTIFICATE) -/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt -/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem -/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem -/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem -/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts +p11_extract() { + # https://github.com/p11-glue/p11-kit/pull/87 + env P11_KIT_NO_USER_CONFIG=1 /usr/bin/p11-kit extract "$@" +} +p11_extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt +p11_extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem +p11_extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem +p11_extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem +p11_extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts -- 2.13.3
Created attachment 1308863 [details] [PATCH] update-ca-trust: Use P11_KIT_NO_USER_CONFIG
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'.
If I understand your report correctly, p11-kit attempts to read a configuration file stored in the effective user's home directory. You have changed p11-kit to support an environment variables that prevents it from doing so, and you are suggesting that the ca-certificates package sets this variable when running p11-kit.
Daiki, Stef, can you think of any reason why "p11-kit extract" would require access to the root user's p11-kit configuration file? If I understand correctly, we're talking about the pkcs11.conf, and I guess a user could use it to configure additional pkcs11 modules. In theory, someone could have configured a pkcs#11 module that contains root CAs. I don't know if that could have resulted in additional root CAs (those from the additional pkcs#11 modules) to be added into the exported bundle files. With the suggested change from here, the CAs from such additional pkcs#11 modules would be excluded. This seems to be a rather exotic configuration. I'm OK to disable the config file reading, and hope that nobody will report a regression. Regarding the suggested patch, I think it should be fine to set the environment variable just once in the update-ca-trust script.
The env var seems to be introduced with p11-kit 0.23.8 which hasn't been packaged for rawhide yet. Should I bump the package version requirement, and wait until the updated p11-kit package is available?
I think it's fine to apply the patch now, and not to add a hard version requirement; the variable will simply do nothing with earlier versions of p11-kit.
http://pkgs.fedoraproject.org/rpms/ca-certificates/c/7a69d0d22f938bbda43ea50389254fe47cb0eb1e?branch=master https://koji.fedoraproject.org/koji/taskinfo?taskID=21242967