Hi Harald, Root has always been required to be part of the pkcs11 group. In versions prior to 3.0, the pkcs11_startup script did this automatically, so the requirement was not readily exposed to users. In version 3, pkcs11_startup was removed, exposing requirement to users.
http://sourceforge.net/p/opencryptoki/bugs/114/ was opened a while back to track and improve root access. A more complete solution would perhaps drop root permissions on startup and only acquire those permissions when needed. Unfortunately, I just have not had time to do this. regards, Joy On Wed, 2014-11-26 at 15:27 +0100, Harald Freudenberger wrote: > Here is a patch to be discussed... > > Currently even root needs to be member of the pkcs11 group to > successfully execute eg. pkcsconf -t. It is unclear to me, > if this is really the expected behavior. There is some code > and comments in usr/lib/pkcs11/common/new_host.c check_user_and_group() > telling me that uid == 0 or euid == 0 should be allowed without any > group checking. On the other hand before attaching to shared memory in > usr/lib/pkcs11/api/shrd_mem.c.in there is code regardless of any uid > checking for the membership to the pkcs11 group. > > RHEL uses an own developed patch to disable group checking for user root > and applies this to ock since 2.4. > > So here is a patch which disables checking of the pkcs11 group > membership for root or euid 0. I leave it to the maintainer of > opencryptoki to apply or reject it ... however the intented behavior > should be documented somewhere. > > regards, Harald Freudenberger > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk > _______________________________________________ Opencryptoki-tech mailing > list [email protected] > https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk _______________________________________________ Opencryptoki-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
