On 12/02/12 14:31, Andreas Bartelt wrote:
> Hello,
>
> I've set up yubikey OTP authentication and also want to use it for
> xlock(1) authentication.
>
> /var/db/yubikey has permissions 770 for root:auth.
>
> In case no `user`.ctr file exists in /var/db/yubikey at first login
> via yubikey, it is created automatically with permissions 644.
>
> This fails in case of xlock(1) authentication via yubikey: [from
> /var/log/authlog] yubikey: user test: fopen:
> /var/db/yubikey/test.ctr: Permission denied
>
> Changing `user`.ctr permissions to 660 for root:auth makes it work.
>
> Should 660 be the default permissions for `user`.ctr?
Yeah, that makes sense. I remember having issues with xlock myself
but I didn't investigate it enough it seems.
Does the diff below fix your issues?
/Alexander
Index: login_yubikey.c
===================================================================
RCS file: /data/openbsd/cvs/src/libexec/login_yubikey/login_yubikey.c,v
retrieving revision 1.4
diff -u -p -r1.4 login_yubikey.c
--- login_yubikey.c 1 Feb 2012 16:07:28 -0000 1.4
+++ login_yubikey.c 5 Dec 2012 23:14:43 -0000
@@ -31,6 +31,7 @@
*/
#include <sys/param.h>
+#include <sys/stat.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <ctype.h>
@@ -254,6 +255,7 @@ yubikey_login(const char *username, cons
}
syslog(LOG_INFO, "user %s: counter %u.%u > %u.%u",
username, ctr / 256, ctr % 256, last_ctr / 256, last_ctr % 256);
+ umask(S_IRWXO);
if ((f = fopen(fn, "w")) == NULL) {
syslog(LOG_ERR, "user %s: fopen: %s: %m", username, fn);
return (AUTH_FAILED);
