Hello,
In the pam_pkcs11 module, it requires PKCS#11 modules to have uid = 0
and gid = 0. With this restriction, /usr/lib/libpkcs11.so on Solaris OS
could not be loaded successfully because its gid is 2.
---------------------------------------------------------------------------------------------------------------------------------------------------
DEBUG:pkcs11_lib.c:948: PKCS #11 module = [/usr/lib/libpkcs11.so]
DEBUG:pkcs11_lib.c:965: module permissions: uid = 0, gid = 2, mode = 755
ERROR:pam_pkcs11.c:307: load_pkcs11_module() failed: the pkcs #11 module
MUST be owned by root and MUST NOT be writeable by the group or others
---------------------------------------------------------------------------------------------------------------------------------------------------
To resolve this problem on Solaris OS, we removed the gid == 0
requirement from the src/common/pkcs11_lib.c file, because it should be
sufficient with the uid, group write permisson and other write
permission checking.
Attached is the patch file, please let me know if you have any comments.
Thanks,
Huie-Ying
Index: pkcs11_lib.c
===================================================================
--- pkcs11_lib.c (revision 332)
+++ pkcs11_lib.c (working copy)
@@ -964,7 +964,7 @@
DBG3("module permissions: uid = %d, gid = %d, mode = %o",
module_stat.st_uid, module_stat.st_gid, module_stat.st_mode & 0777);
if (module_stat.st_mode & S_IWGRP || module_stat.st_mode & S_IWOTH
- || module_stat.st_uid != 0 || module_stat.st_gid != 0) {
+ || module_stat.st_uid != 0) {
set_error("the pkcs #11 module MUST be owned by root and MUST NOT "
"be writeable by the group or others");
free(h);
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
