Re: [exim-dev] gnutls / exim : gnome-keyring:: couldn't conn…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Phil Pennock
Date: 2012-06-23 12:02 -000
À: exim-dev
Sujet: Re: [exim-dev] gnutls / exim : gnome-keyring:: couldn't connect to: /home/ametzler/.cache/keyring-vZ6lZn/pkcs11: Permission denied
On 2012-06-23 at 09:07 +0200, Andreas Metzler wrote:
> After the the GnuTLS revamp it loooks like PKCS#11 modules are
> suddenly (unnecessarily) autoloaded and fail due to SUID:


Note: the problem here isn't suid itself, but that environment variables
passed through are no longer valid.

If you find the two calls to gnutls_global_init() in tls-gnu.c and
before them insert:

rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
and one of:
exim_gnutls_err_check(US"gnutls_pkcs11_init");
validate_check_rc(US"gnutls_pkcs11_init");
(it should be obvious which goes where, just stay consistent)

then does that fix the problem?

Per:
http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs
it appears that by default, GnuTLS will use autoload, but you can
override it *before* the global init call.

If this it the problem, we'll probably have to wrap this in a config
option and default it to disabled, because I can see folks using server
credentials stored in a PKCS11 module which they *do* want used, but it
should be requested by the admin. So it's not always "unnecessarily",
just in your case it is, and I think it's unnecessary unless explicitly
requested.


I don't think there's another decent solution, since the fact that
environment variables are used *at all* is a module-specific fact. Exim
deliberately preserves much of the environment.