On Sun, 2 Jan 2011 21:42:18 +0900
Norikatsu Shigemura <[email protected]> wrote:
> Hi Klaus.
>
> Add support --pkcs11user=pkcs11 and --pkcs11group=pkcs11
> to configure. To support changing user/group account running
> pkcsslotd.
Norikatsu,
again, the patch won't apply (error: patch failed:
usr/lib/pkcs11/common/loadsave.c:328). Can you try rebasing it on top
of upstream master? Ah please don't forget to include the Signed-off-by
line.
This is a welcome addition. I'd feel more comfortable if there are more
checks making sure this macro is defined (to avoid silent errors when
the string is empty). You could simply #error in that case, or use a default.
Can you please re-send?
Thanks,
-Klaus
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> -
> diff -uprN opencryptoki-2.3.2.orig/configure.in
> opencryptoki-2.3.2/configure.in
> --- opencryptoki-2.3.2.orig/configure.in 2010-07-29 21:28:41.000000000
> +0900
> +++ opencryptoki-2.3.2/configure.in 2011-01-02 21:11:58.551676300 +0900
> @@ -193,6 +193,21 @@ AC_ARG_WITH([xcryptolinz],
> [],
> [with_xcryptolinz=check])
>
> +dnl --- check for pkcs11 user
> +AC_ARG_WITH([pkcs11user],
> + AC_HELP_STRING([--with-pkcs11user[[=USER]]], [set pkcs11 user
> [[pkcs11]]]),
> + [pkcs11_user=$withval],
> + [pkcs11_user=pkcs11])
> +
> +dnl --- check for pkcs11 group
> +AC_ARG_WITH(pkcs11group,
> + AC_HELP_STRING([--with-pkcs11group[[=GROUP]]], [set pkcs11 group
> [[pkcs11]]]),
> + [pkcs11_group=$withval],
> + [pkcs11_group=pkcs11])
> +
> +AC_SUBST(PKCS11USER, $pkcs11_user)
> +AC_SUBST(PKCS11GROUP, $pkcs11_group)
> +
> dnl ---
> dnl ---
> dnl --- Now that we have all the options, let's check for a valid build
> diff -uprN opencryptoki-2.3.2.orig/usr/lib/pkcs11/api/shrd_mem.c.in
> opencryptoki-2.3.2/usr/lib/pkcs11/api/shrd_mem.c.in
> --- opencryptoki-2.3.2.orig/usr/lib/pkcs11/api/shrd_mem.c.in 2010-07-29
> 21:28:41.000000000 +0900
> +++ opencryptoki-2.3.2/usr/lib/pkcs11/api/shrd_mem.c.in 2011-01-02
> 21:13:12.586673320 +0900
> @@ -353,7 +353,7 @@ attach_shared_memory() {
>
>
> // SAB check for the group id here and membership here as well
> - grp = getgrnam("pkcs11");
> + grp = getgrnam(PKCS11GROUP);
> if ( grp ) {
> int i=0;
> char member=0;
> diff -uprN opencryptoki-2.3.2.orig/usr/lib/pkcs11/cca_stdll/loadsave.c
> opencryptoki-2.3.2/usr/lib/pkcs11/cca_stdll/loadsave.c
> --- opencryptoki-2.3.2.orig/usr/lib/pkcs11/cca_stdll/loadsave.c
> 2010-07-29 21:28:41.000000000 +0900
> +++ opencryptoki-2.3.2/usr/lib/pkcs11/cca_stdll/loadsave.c 2011-01-02
> 21:14:55.028672426 +0900
> @@ -51,7 +51,7 @@ set_perm(int file)
> // Set absolute permissions or rw-rw-r--
> fchmod(file,S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH);
>
> - grp = getgrnam("pkcs11"); // Obtain the group id
> + grp = getgrnam(PKCS11GROUP); // Obtain the group id
> if (grp){
> fchown(file,getuid(),grp->gr_gid); // set ownership to root, and
> pkcs11 group
> }
> diff -uprN opencryptoki-2.3.2.orig/usr/lib/pkcs11/cca_stdll/new_host.c
> opencryptoki-2.3.2/usr/lib/pkcs11/cca_stdll/new_host.c
> --- opencryptoki-2.3.2.orig/usr/lib/pkcs11/cca_stdll/new_host.c
> 2010-07-29 21:28:41.000000000 +0900
> +++ opencryptoki-2.3.2/usr/lib/pkcs11/cca_stdll/new_host.c 2011-01-02
> 21:15:19.847672187 +0900
> @@ -298,7 +298,7 @@ ST_Initialize(void **FunctionList,
> struct group *grp;
> int rc = 0;
> gid_t gid,egid;
> - grp = getgrnam("pkcs11");
> + grp = getgrnam(PKCS11GROUP);
> if (grp) {
> // Check for member of group..
> // SAB get login seems to not work with some
> diff -uprN opencryptoki-2.3.2.orig/usr/lib/pkcs11/common/loadsave.c
> opencryptoki-2.3.2/usr/lib/pkcs11/common/loadsave.c
> --- opencryptoki-2.3.2.orig/usr/lib/pkcs11/common/loadsave.c 2010-07-29
> 21:28:41.000000000 +0900
> +++ opencryptoki-2.3.2/usr/lib/pkcs11/common/loadsave.c 2011-01-02
> 21:15:41.725673684 +0900
> @@ -328,7 +328,7 @@ set_perm(int file)
> // Set absolute permissions or rw-rw-r--
> fchmod(file,S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH);
>
> - grp = getgrnam("pkcs11"); // Obtain the group id
> + grp = getgrnam(PKCS11GROUP); // Obtain the group id
> if (grp){
> fchown(file,getuid(),grp->gr_gid); // set ownership to root, and
> pkcs11 group
> }
> diff -uprN opencryptoki-2.3.2.orig/usr/lib/pkcs11/common/new_host.c
> opencryptoki-2.3.2/usr/lib/pkcs11/common/new_host.c
> --- opencryptoki-2.3.2.orig/usr/lib/pkcs11/common/new_host.c 2010-07-29
> 21:28:41.000000000 +0900
> +++ opencryptoki-2.3.2/usr/lib/pkcs11/common/new_host.c 2011-01-02
> 21:16:06.748675957 +0900
> @@ -576,7 +576,7 @@ ST_Initialize(void **FunctionList,
> struct group *grp;
> int rc = 0;
> gid_t gid,egid;
> - grp = getgrnam("pkcs11");
> + grp = getgrnam(PKCS11GROUP);
> if (grp) {
> // Check for member of group..
> // SAB get login seems to not work with some
> diff -uprN opencryptoki-2.3.2.orig/usr/lib/pkcs11/tpm_stdll/loadsave.c
> opencryptoki-2.3.2/usr/lib/pkcs11/tpm_stdll/loadsave.c
> --- opencryptoki-2.3.2.orig/usr/lib/pkcs11/tpm_stdll/loadsave.c
> 2010-07-29 21:28:41.000000000 +0900
> +++ opencryptoki-2.3.2/usr/lib/pkcs11/tpm_stdll/loadsave.c 2011-01-02
> 21:17:41.491671045 +0900
> @@ -339,7 +339,7 @@ set_perm(int file)
> fchmod(file,S_IRUSR|S_IWUSR);
>
> #if 0
> - grp = getgrnam("pkcs11"); // Obtain the group id
> + grp = getgrnam(PKCS11GROUP); // Obtain the group id
> if (grp){
> fchown(file,getuid(),grp->gr_gid); // set ownership to root, and
> pkcs11 group
> }
> diff -uprN opencryptoki-2.3.2.orig/usr/lib/pkcs11/tpm_stdll/new_host.c
> opencryptoki-2.3.2/usr/lib/pkcs11/tpm_stdll/new_host.c
> --- opencryptoki-2.3.2.orig/usr/lib/pkcs11/tpm_stdll/new_host.c
> 2010-07-29 21:28:41.000000000 +0900
> +++ opencryptoki-2.3.2/usr/lib/pkcs11/tpm_stdll/new_host.c 2011-01-02
> 21:18:02.746672482 +0900
> @@ -356,7 +356,7 @@ CK_RV ST_Initialize( void **FunctionList
> int rc = 0;
> int index = 0;
> gid_t gid,egid;
> - grp = getgrnam("pkcs11");
> + grp = getgrnam(PKCS11GROUP);
> if ( grp ) {
> // Check for member of group..
>
> diff -uprN opencryptoki-2.3.2.orig/usr/sbin/pkcs11_startup/Makefile.am
> opencryptoki-2.3.2/usr/sbin/pkcs11_startup/Makefile.am
> --- opencryptoki-2.3.2.orig/usr/sbin/pkcs11_startup/Makefile.am
> 2010-07-29 21:28:41.000000000 +0900
> +++ opencryptoki-2.3.2/usr/sbin/pkcs11_startup/Makefile.am 2011-01-02
> 21:18:48.216674756 +0900
> @@ -12,6 +12,8 @@ pkcs11_startup: pkcs11_startup.in
> -e s...@id\@!"@ID@"!g \
> -e s...@cat\@!"@CAT@"!g \
> -e s...@sed\@!"@SED@"!g \
> + -e s...@pkcs11user\@!"@PKCS11USER@"!g \
> + -e s...@pkcs11group\@!"@PKCS11GROUP@"!g \
> -e s...@groupadd\@!"@GROUPADD@"!g \
> -e s...@usermod\@!"@USERMOD@"!g < $< > $...@-t
> @CHMOD@ +x $...@-t
> diff -uprN opencryptoki-2.3.2.orig/usr/sbin/pkcs11_startup/pkcs11_startup.in
> opencryptoki-2.3.2/usr/sbin/pkcs11_startup/pkcs11_startup.in
> --- opencryptoki-2.3.2.orig/usr/sbin/pkcs11_startup/pkcs11_startup.in
> 2010-07-29 21:28:41.000000000 +0900
> +++ opencryptoki-2.3.2/usr/sbin/pkcs11_startup/pkcs11_startup.in
> 2011-01-02 21:20:32.779674866 +0900
> @@ -310,16 +310,16 @@ rm -f @localstatedir@/lib/opencryptoki/p
>
>
> # Create the pkcs11 group if it does not exist...
> -cat /etc/group|grep pkcs11 >/dev/null 2>&1
> +cat /etc/group|grep @PKCS11GROUP@ >/dev/null 2>&1
> rc=$?
> if [ $rc = 1 ]
> then
> if [ -x @GROUPADD@ ]
> then
> - @GROUPADD@ pkcs11 >/dev/null 2>&1
> + @GROUPADD@ @PKCS11GROUP@ >/dev/null 2>&1
>
> else
> - echo "Couldn't execute @group...@. Please add the group 'pkcs11'
> manually."
> + echo "Couldn't execute @group...@. Please add the group
> '@PKCS11GROUP@' manually."
> fi
> fi
>
> @@ -328,9 +328,9 @@ if [ -x @USERMOD@ -a -x @ID@ ]
> then
> # add the pkcs group
> # replace spaces by commas
> - @USERMOD@ -G $( @ID@ --groups --name root | @SED@ -e 'y/ /,/'),pkcs11
> root
> + @USERMOD@ -G $( @ID@ --groups --name root | @SED@ -e 'y/
> /,/'),@PKCS11GROUP@ root
> else
> - echo "Couldn't execute @user...@. Please add root to the group 'pkcs11'
> manually."
> + echo "Couldn't execute @user...@. Please add root to the group
> '@PKCS11GROUP@' manually."
> fi
>
>
> diff -uprN opencryptoki-2.3.2.orig/usr/sbin/pkcs_slot/pkcs_slot.in
> opencryptoki-2.3.2/usr/sbin/pkcs_slot/pkcs_slot.in
> --- opencryptoki-2.3.2.orig/usr/sbin/pkcs_slot/pkcs_slot.in 2010-07-29
> 21:28:41.000000000 +0900
> +++ opencryptoki-2.3.2/usr/sbin/pkcs_slot/pkcs_slot.in 2011-01-02
> 21:25:12.917674721 +0900
> @@ -360,7 +360,7 @@ DEPTH=$2
> if [ ! -d @localstatedir@/lib/opencryptoki ]
> then
> @MKDIR_P@ @localstatedir@/lib/opencryptoki
> - @CHGRP@ pkcs11 @localstatedir@/lib/opencryptoki
> + @CHGRP@ @PKCS11GROUP@ @localstatedir@/lib/opencryptoki
> @CHMOD@ -R g+rwX @localstatedir@/lib/opencryptoki
> fi
>
> @@ -372,9 +372,9 @@ then
> if [ $? -ne 0 ]
> then
> mkdir $SOFT_DIR
> - @CHGRP@ pkcs11 $SOFT_DIR
> + @CHGRP@ @PKCS11GROUP@ $SOFT_DIR
> mkdir "$SOFT_DIR"/TOK_OBJ
> - @CHGRP@ pkcs11 "$SOFT_DIR"/TOK_OBJ
> + @CHGRP@ @PKCS11GROUP@ "$SOFT_DIR"/TOK_OBJ
> fi
> SYS_SLOT="Soft"
> fi
> @@ -386,7 +386,7 @@ then
> if [ $? -ne 0 ]
> then
> mkdir $TPM_DIR
> - @CHGRP@ pkcs11 $TPM_DIR
> + @CHGRP@ @PKCS11GROUP@ $TPM_DIR
> fi
> SYS_SLOT="TPM"
> fi
> @@ -397,16 +397,16 @@ then
> if [ $? -ne 0 ]
> then
> mkdir $CCA_DIR
> - @CHGRP@ pkcs11 $CCA_DIR
> + @CHGRP@ @PKCS11GROUP@ $CCA_DIR
> mkdir "$CCA_DIR"/TOK_OBJ
> - @CHGRP@ pkcs11 "$CCA_DIR"/TOK_OBJ
> + @CHGRP@ @PKCS11GROUP@ "$CCA_DIR"/TOK_OBJ
> fi
> SYS_SLOT="CCA"
> fi
>
> # If we are using a shallow device, make sure that the directory
> # to store token objects is available, if not create it and change
> -# the ownership to the pkcs11 group
> +# the ownership to the @PKCS11GROUP@ group
>
>
> if [ $DEPTH = "ica" ]
> @@ -415,9 +415,9 @@ then
> if [ $? -ne 0 ]
> then
> mkdir $ICA_DIR
> - @CHGRP@ pkcs11 $ICA_DIR
> + @CHGRP@ @PKCS11GROUP@ $ICA_DIR
> mkdir "$ICA_DIR"/TOK_OBJ
> - @CHGRP@ pkcs11 "$ICA_DIR"/TOK_OBJ
> + @CHGRP@ @PKCS11GROUP@ "$ICA_DIR"/TOK_OBJ
> fi
> SYS_SLOT="ICA"
> fi
> @@ -428,9 +428,9 @@ then
> if [ $? -ne 0 ]
> then
> mkdir $BCOM_DIR
> - @CHGRP@ pkcs11 $BCOM_DIR
> + @CHGRP@ @PKCS11GROUP@ $BCOM_DIR
> mkdir "$BCOM_DIR"/TOK_OBJ
> - @CHGRP@ pkcs11 "$BCOM_DIR"/TOK_OBJ
> + @CHGRP@ @PKCS11GROUP@ "$BCOM_DIR"/TOK_OBJ
> fi
> SYS_SLOT="BCOM"
> fi
> @@ -441,9 +441,9 @@ then
> if [ $? -ne 0 ]
> then
> mkdir $AEP_DIR
> - @CHGRP@ pkcs11 $AEP_DIR
> + @CHGRP@ @PKCS11GROUP@ $AEP_DIR
> mkdir "$AEP_DIR"/TOK_OBJ
> - @CHGRP@ pkcs11 "$AEP_DIR"/TOK_OBJ
> + @CHGRP@ @PKCS11GROUP@ "$AEP_DIR"/TOK_OBJ
> fi
> SYS_SLOT="AEP"
> fi
> @@ -454,9 +454,9 @@ then
> if [ $? -ne 0 ]
> then
> mkdir $CR_DIR
> - @CHGRP@ pkcs11 $CR_DIR
> + @CHGRP@ @PKCS11GROUP@ $CR_DIR
> mkdir "$CR_DIR"/TOK_OBJ
> - @CHGRP@ pkcs11 "$CR_DIR"/TOK_OBJ
> + @CHGRP@ @PKCS11GROUP@ "$CR_DIR"/TOK_OBJ
> fi
> SYS_SLOT="CRNT"
> fi
> diff -uprN opencryptoki-2.3.2.orig/usr/sbin/pkcsslotd/shmem.c
> opencryptoki-2.3.2/usr/sbin/pkcsslotd/shmem.c
> --- opencryptoki-2.3.2.orig/usr/sbin/pkcsslotd/shmem.c 2010-07-29
> 21:28:41.000000000 +0900
> +++ opencryptoki-2.3.2/usr/sbin/pkcsslotd/shmem.c 2011-01-02
> 21:28:00.449673400 +0900
> @@ -338,9 +338,9 @@ int CreateSharedMemory ( void ) {
> }
> // SAB Get the group information for the PKCS#11 group... fail if
> // it does not exist
> - grp = getgrnam("pkcs11");
> + grp = getgrnam(PKCS11GROUP);
> if ( !grp ) {
> - ErrLog("Group PKCS#11 does not exist ");
> + ErrLog("Group " PKCS11GROUP " does not exist ");
> return FALSE; // Group does not exist... setup is wrong..
> }
>
> @@ -409,9 +409,9 @@ int CreateSharedMemory ( void ) {
> int i;
> char *buffer;
>
> - grp = getgrnam("pkcs11");
> + grp = getgrnam(PKCS11GROUP);
> if ( !grp ) {
> - ErrLog("Group \"pkcs11\" does not exist! Please run %s/pkcs11_startup.",
> + ErrLog("Group " PKCS11GROUP " does not exist! Please run
> %s/pkcs11_startup.",
> SBIN_PATH);
> return FALSE; // Group does not exist... setup is wrong..
> }
> @@ -431,7 +431,7 @@ int CreateSharedMemory ( void ) {
> return FALSE;
> }
> if (fchown(fd, 0, grp->gr_gid) == -1) {
> - ErrLog("%s: fchown(%s, root, pkcs11): %s", __FUNCTION__, MAPFILENAME,
> + ErrLog("%s: fchown(%s, root, %s): %s", __FUNCTION__, MAPFILENAME,
> PKCS11GROUP,
> strerror(errno));
> close(fd);
> return FALSE;
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> -
>
> Thank you.
>
--
Klaus Heinrich Kiwi | [email protected] | http://blog.klauskiwi.com
Open Source Security blog : http://www.ratliff.net/blog
IBM Linux Technology Center : http://www.ibm.com/linux/ltc
------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and,
should the need arise, upgrade to a full multi-node Oracle RAC database
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Opencryptoki-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
