The last EP11 test run found a mismatch between specification and runtime for the ep11 log file. Upon creation it should have the group ppcs11 and permissions 640. This patch introduces this behaviour.
Signed-off-by: Harald Freudenberger <[email protected]> --- usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 56 +++++++++++++++++------------ 1 file changed, 34 insertions(+), 22 deletions(-) diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c index c19065c..7daaed4 100644 --- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c +++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c @@ -317,6 +317,7 @@ #include <syslog.h> #include <dlfcn.h> #include <lber.h> +#include <grp.h> #include "ep11.h" #define EP11SHAREDLIB "libep11.so" @@ -1238,6 +1239,33 @@ static CK_RV make_wrapblob(CK_ATTRIBUTE *tmpl_in, CK_ULONG tmpl_len) return rc; } +static CK_RV open_logfile() +{ + char logfilename[PATH_MAX]; + struct group *grp; + mode_t m; + + /* create the log file */ + sprintf(logfilename, EP11TOK_LOGFILEMASK, (unsigned) getpid()); + EP11Tok_logfile = fopen(logfilename, "w+"); + if (!EP11Tok_logfile) { + fprintf(stderr, "ERROR: ock_ep11_token: can't open log file '%s' (errno=%d) !!!\n", + logfilename, errno); + return CKR_FUNCTION_FAILED; + } + + /* change group to pkcs11, ignore failure */ + grp = getgrnam("pkcs11"); + if (grp) + chown(logfilename, -1, grp->gr_gid); + + /* change permissions to 640, ignore failure */ + m = S_IRUSR | S_IWUSR | S_IRGRP; + chmod(logfilename, m); + + return CKR_OK; +} + CK_RV token_specific_init(CK_SLOT_ID SlotNumber, char *conf_name) { CK_RV rc; @@ -1249,19 +1277,9 @@ CK_RV token_specific_init(CK_SLOT_ID SlotNumber, char *conf_name) if (env_loglevel) { int loglevel = atoi(env_loglevel); if (loglevel > 0) { - /* create the log file */ - char logfilename[PATH_MAX]; - sprintf(logfilename, EP11TOK_LOGFILEMASK, - (unsigned) getpid()); - EP11Tok_logfile = fopen(logfilename, "w+"); - if (!EP11Tok_logfile) { - fprintf(stderr, "ERROR: ock_ep11_token: can't open log file '%s' (errno=%d) !!!\n", logfilename, errno); - /* however, continue here, - * do not return CKR_DEVICE_ERROR; - */ - } else { - EP11Tok_loglevel = loglevel; - } + open_logfile(); + /* continue even on failure opening the ep11 log file */ + EP11Tok_loglevel = loglevel; } else { /* environment variable is present but value * is 0 or invalid @@ -3960,15 +3978,9 @@ static int read_adapter_config_file(const char* conf_name) rc = APQN_FILE_SYNTAX_ERROR_5; break; } - if (loglevel > 0 && EP11Tok_loglevel == 0) { - if (!EP11Tok_logfile) { - /* create the log file */ - char logfilename[PATH_MAX]; - sprintf(logfilename, - EP11TOK_LOGFILEMASK, - (unsigned) getpid()); - EP11Tok_logfile = fopen(logfilename, "w+"); - } + if (loglevel > 0 && EP11Tok_loglevel == 0 && !EP11Tok_logfile) { + open_logfile(); + /* continue even on failure */ EP11Tok_loglevel = loglevel; } i = 0; -- 1.7.9.5 ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Opencryptoki-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
