Bug 201389 - key3.db must be world readable
key3.db must be world readable
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: pam_pkcs11 (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bob Relyea
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-08-04 14:53 EDT by jmccann
Modified: 2015-01-14 18:19 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-09 12:08:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description jmccann 2006-08-04 14:53:41 EDT
I'm assuming that this is a bug since Ray told me that key3.db should only be
readable by root.

FYI: test-passwd is included in the gnome-screensaver sources.

[mccannwj@acsnb11 src]$ sudo chmod go-r /etc/pki/nssdb/key3.db 
[mccannwj@acsnb11 src]$ ./test-passwd 
gnome-screensaver-Message: pam_start ("gnome-screensaver", "mccannwj", ...) ==>
0 (Success)
DEBUG:pam_config.c:169: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11.c:64: Initializing NSS ...
DEBUG:pkcs11.c:74: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11.c:83: NSS_Initialize faile: security library: bad database.
DEBUG:pam_pkcs11.c:167: Failed to initialize crypto
gnome-screensaver-Message:    pam_authenticate (...) ==> 9 (Authentication
service cannot retrieve authentication info)
gnome-screensaver-Message:  pam_end (...) ==> 0 (Success)
Incorrect


[mccannwj@acsnb11 src]$ sudo chmod go+r /etc/pki/nssdb/key3.db 
[mccannwj@acsnb11 src]$ ./test-passwd 
gnome-screensaver-Message: pam_start ("gnome-screensaver", "mccannwj", ...) ==>
0 (Success)
DEBUG:pam_config.c:169: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11.c:64: Initializing NSS ...
DEBUG:pkcs11.c:74: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11.c:89: ...  NSS Complete
DEBUG:pam_pkcs11.c:194: explicit username = [mccannwj]
DEBUG:pam_pkcs11.c:213: loading pkcs #11 module...
DEBUG:pkcs11.c:101: Looking up module in list
DEBUG:pkcs11.c:104: modList = 0x86aeba8 next = 0x0

DEBUG:pkcs11.c:105: dllName= <null> 

DEBUG:pkcs11.c:145: loading Module explictly,
moduleSpec=<library="/usr/lib/libcoolkeypk11.so" name="SmartCard">
module=/usr/lib/libcoolkeypk11.so
DEBUG:pkcs11.c:178: load module complete
DEBUG:pam_pkcs11.c:222: initialising pkcs #11 module...
gnome-screensaver-Message: Got message style 3: 'Smart card inserted.'
gnome-screensaver-Message: Got message style 3: 'Welcome 40900062FF0200011EC2!'
gnome-screensaver-Message: Got message style 1: 'Smart Card Password:'
Smart Card Password:DEBUG:pam_pkcs11.c:298: password = [12822]
DEBUG:pkcs11.c:390: cert 0: found (40900062FF0200011EC2:signing key for mccann),
"UID=mccann,CN=William Jon McCann,E=mccann@jhu.edu,O=Token Key User"
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'digest'
DEBUG:mapper_mgr.c:197: Inserting mapper [digest] into list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'uid'
DEBUG:mapper_mgr.c:197: Inserting mapper [uid] into list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'cn'
DEBUG:mapper_mgr.c:197: Inserting mapper [cn] into list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'pwent'
DEBUG:mapper_mgr.c:197: Inserting mapper [pwent] into list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'mail'
DEBUG:mapper_mgr.c:197: Inserting mapper [mail] into list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'subject'
DEBUG:mapper_mgr.c:197: Inserting mapper [subject] into list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'null'
DEBUG:mapper_mgr.c:197: Inserting mapper [null] into list
DEBUG:pam_pkcs11.c:339: verifing the certificate for the key #1
DEBUG:cert_vfy.c:32: Verifying Cert: 40900062FF0200011EC2:signing key for mccann
(UID=mccann,CN=William Jon McCann,E=mccann@jhu.edu,O=Token Key User)
DEBUG:mapper_mgr.c:300: Mapper module digest match() returns -1
DEBUG:mapper_mgr.c:304: Error in module digest
DEBUG:mapper_mgr.c:300: Mapper module uid match() returns -1
DEBUG:mapper_mgr.c:304: Error in module uid
DEBUG:mapper_mgr.c:300: Mapper module cn match() returns 0
DEBUG:mapper_mgr.c:300: Mapper module pwent match() returns 1
DEBUG:pam_pkcs11.c:401: certificate is valid and matches the user
DEBUG:mapper_mgr.c:214: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() digest
DEBUG:mapper_mgr.c:148: Module digest is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() uid
DEBUG:mapper_mgr.c:148: Module uid is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() cn
DEBUG:mapper_mgr.c:148: Module cn is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() pwent
DEBUG:mapper_mgr.c:148: Module pwent is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() mail
DEBUG:mapper_mgr.c:148: Module mail is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() subject
DEBUG:mapper_mgr.c:148: Module subject is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() null
DEBUG:mapper_mgr.c:148: Module null is static: don't remove
DEBUG:pam_pkcs11.c:442: verifying signature...
DEBUG:pam_pkcs11.c:479: releasing pkcs #11 module...
DEBUG:pam_pkcs11.c:482: authentication succeeded
gnome-screensaver-Message:    pam_authenticate (...) ==> 0 (Success)
gnome-screensaver-Message: pam_acct_mgmt (...) ==> 9 (Authentication service
cannot retrieve authentication info)

DEBUG:pam_pkcs11.c:488: pam_sm_setcred() called
gnome-screensaver-Message:    pam_setcred (...) ==> 0 (Success)
gnome-screensaver-Message:  pam_end (...) ==> 0 (Success)
Correct!
Comment 1 Ray Strode [halfline] 2006-08-04 17:59:43 EDT
Note, the latest rawhide nss now creates the database in %install.  It makes all
three files writable, so I may have been wrong.
Comment 2 Ray Strode [halfline] 2006-08-04 18:00:16 EDT
and by "writable" i meant "readable"
Comment 3 Bob Relyea 2006-08-09 12:08:07 EDT
for this release it needs to be world readable until nss 3.12 with multiaccess
databases. This means we shouldn't actually store any keys in /etc/pki/nssdb/key3.db

bob

Note You need to log in before you can comment on or make changes to this bug.