Re: [exim-dev] gnutls / exim : gnome-keyring:: couldn't conn…

Top Page
Delete this message
Reply to this message
Author: Andreas Metzler
Date:  
To: exim-dev
Subject: Re: [exim-dev] gnutls / exim : gnome-keyring:: couldn't connect to: /home/ametzler/.cache/keyring-vZ6lZn/pkcs11: Permission denied
On 2012-06-23 Phil Pennock <pdp@???> wrote:
> On 2012-06-23 at 09:07 +0200, Andreas Metzler wrote:
> > After the the GnuTLS revamp it loooks like PKCS#11 modules are
> > suddenly (unnecessarily) autoloaded and fail due to SUID:


> Note: the problem here isn't suid itself, but that environment variables
> passed through are no longer valid.


> If you find the two calls to gnutls_global_init() in tls-gnu.c and
> before them insert:


> rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
> and one of:
> exim_gnutls_err_check(US"gnutls_pkcs11_init");
> validate_check_rc(US"gnutls_pkcs11_init");
> (it should be obvious which goes where, just stay consistent)


> then does that fix the problem?

[...]

It does, thank you for the fix and explanation.

cu andreas

--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
Description: Disable autoloading of PKCS#11 modules.
Author: Phil Pennock <pdp@???>
Origin: upstream
Bug-Debian: http://bugs.debian.org/678238
Forwarded: http://article.gmane.org/gmane.mail.exim.devel/5732
Last-Update: 2012-06-23

Index: b/src/tls-gnu.c
===================================================================
--- a/src/tls-gnu.c    2012-06-23 18:17:41.000000000 +0200
+++ b/src/tls-gnu.c    2012-06-23 18:18:31.000000000 +0200
@@ -39,6 +39,8 @@ require current GnuTLS, then we'll drop
 #include <gnutls/x509.h>
 /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
 #include <gnutls/crypto.h>
+/* needed for gnutls_pkcs11_init */
+#include <gnutls/pkcs11.h>


/* GnuTLS 2 vs 3

@@ -910,6 +912,8 @@ if (!exim_gnutls_base_init_done)
{
DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");

+ rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+ exim_gnutls_err_check(US"gnutls_pkcs11_init");
rc = gnutls_global_init();
exim_gnutls_err_check(US"gnutls_global_init");

@@ -1942,6 +1946,8 @@ if (exim_gnutls_base_init_done)
   log_write(0, LOG_MAIN|LOG_PANIC,
       "already initialised GnuTLS, Exim developer bug");


+rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+validate_check_rc(US"gnutls_pkcs11_init");
rc = gnutls_global_init();
validate_check_rc(US"gnutls_global_init()");
exim_gnutls_base_init_done = TRUE;