Bug 636792 - nss-sysinit: setup-nsssysinit.sh should create pkcs11.txt with correct permissions regardless of current umask
Summary: nss-sysinit: setup-nsssysinit.sh should create pkcs11.txt with correct permis...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: nss
Version: 13
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Elio Maldonado Batiz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 643553
TreeView+ depends on / blocked
 
Reported: 2010-09-23 10:19 UTC by Tomas Hoger
Modified: 2010-11-05 04:45 UTC (History)
4 users (show)

Fixed In Version: nss-util-3.12.8-1.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 643553 (view as bug list)
Environment:
Last Closed: 2010-10-27 22:30:32 UTC


Attachments (Terms of Use)
Changes to create system pkcs11.txt with correct permissions (2.29 KB, patch)
2010-09-28 18:09 UTC, Elio Maldonado Batiz
no flags Details | Diff

Description Tomas Hoger 2010-09-23 10:19:03 UTC
Description of problem:
setup-nsssysinit.sh re-writes / re-creates pkcs11.txt.  When new file is created, current umask is taken into an account.  If run with restrictive umask settings, the file may be created with permission that do no allow non-privileged users to read the file, hence sysinit may remain disabled for users even when it's intended to be enabled.

The script should either set umask before running sed, let sed take care of preserving correct permissions (using in-place edit mode), or chmod file at the end of run.

Version-Release number of selected component (if applicable):
nss-3.12.7-6.fc13

Additional info:

# ll /etc/pki/nssdb/pkcs11.txt 
-rw-r--r--. 1 root root 451 Sep 23 11:10 /etc/pki/nssdb/pkcs11.txt

# umask
0077
# setup-nsssysinit.sh on
# ll /etc/pki/nssdb/pkcs11.txt 
-rw-------. 1 root root 451 Sep 23 12:09 /etc/pki/nssdb/pkcs11.txt

# umask 022
# setup-nsssysinit.sh on
# ll /etc/pki/nssdb/pkcs11.txt 
-rw-r--r--. 1 root root 451 Sep 23 12:09 /etc/pki/nssdb/pkcs11.txt

Comment 1 Elio Maldonado Batiz 2010-09-28 18:09:16 UTC
Created attachment 450265 [details]
Changes to create system pkcs11.txt with correct permissions

Includes enhancement to report nss-sysinit status requested in bug 636801.

Comment 2 Fedora Update System 2010-09-30 00:25:53 UTC
nss-3.12.7-8.fc14,nss-softokn-3.12.7-7.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/nss-3.12.7-8.fc14,nss-softokn-3.12.7-7.fc14

Comment 3 Fedora Update System 2010-09-30 00:29:54 UTC
nss-3.12.7-8.fc13,nss-softokn-3.12.7-7.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/nss-3.12.7-8.fc13,nss-softokn-3.12.7-7.fc13

Comment 4 Fedora Update System 2010-09-30 05:31:39 UTC
nss-3.12.7-8.fc14, nss-softokn-3.12.7-7.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update nss nss-softokn'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/nss-3.12.7-8.fc14,nss-softokn-3.12.7-7.fc14

Comment 5 Fedora Update System 2010-10-07 18:19:20 UTC
nss-3.12.8-2.fc14,nss-softokn-3.12.8-1.fc14,nss-util-3.12.8-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/nss-3.12.8-2.fc14,nss-softokn-3.12.8-1.fc14,nss-util-3.12.8-1.fc14

Comment 6 Fedora Update System 2010-10-08 00:07:41 UTC
nss-util-3.12.8-1.fc12,nss-softokn-3.12.8-1.fc12,nss-3.12.8-2.fc12 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/nss-util-3.12.8-1.fc12,nss-softokn-3.12.8-1.fc12,nss-3.12.8-2.fc12

Comment 7 Fedora Update System 2010-10-27 22:30:05 UTC
nss-3.12.8-2.fc13, nss-softokn-3.12.8-1.fc13, nss-util-3.12.8-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2010-10-28 05:47:34 UTC
nss-3.12.8-2.fc14, nss-softokn-3.12.8-1.fc14, nss-util-3.12.8-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Andre Robatino 2010-10-30 00:22:48 UTC
In F14, when updating to nss-sysinit-3.12.8-2.fc14, pkcs11.txt is created as pkcs11.txt.rpmnew even though the file hasn't changed. At the time of package cleanup, the modification date on pkcs11.txt is updated to the current value, so the package no longer verifies.

output of "ls -l" before installing new version (note that the time is that of my original F14 install):
-rw-r--r--. 1 root root   451 Oct 28 00:21 pkcs11.txt

output after installing new version and before cleaning up old version:
-rw-r--r--. 1 root root   451 Oct 28 00:21 pkcs11.txt
-rw-r--r--. 1 root root   451 Oct  7 01:19 pkcs11.txt.rpmnew

output after cleaning up old version:
-rw-r--r--. 1 root root   451 Oct 29 20:16 pkcs11.txt (time is the instant the old package is cleaned up):
-rw-r--r--. 1 root root   451 Oct  7 01:19 pkcs11.txt.rpmnew

[root@dell-pc nssdb]# rpm -V nss-sysinit
.......T.  c /etc/pki/nssdb/pkcs11.txt
[root@dell-pc nssdb]#

Comment 10 Andre Robatino 2010-10-30 00:28:09 UTC
Never mind, I noticed that after "mv pkcs11.txt.rpmnew pkcs11.txt", the package verifies.

Comment 11 Fedora Update System 2010-11-05 04:45:15 UTC
nss-util-3.12.8-1.fc12, nss-softokn-3.12.8-1.fc12, nss-3.12.8-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.