Don't you think it's kind of an openssl bug to create the key material
with full permissions? Shouldn't it creat(keyfile, 0600)?
Would be nice I suppose.
This aside, I'd recommend working around the issue by creating the key
file beforehand with restricted permissions, and not touching
Note that we can't just use umask 177 in the Debian version of this script
since Debian runs shibd as a non-root user and then won't be able to read
the certificate. For Debian, we should set the group ownership to the
shibd user we create and make the file group-readable.
If there's a
Thank you for the offer! I think it's going to be a bit tricky for you to
do something upstream that will also work in Debian without modifications,
since you won't be able to rely on the group that we're creating as part
of the package installation, so I suspect we should probably carry a
Actually, I think I was confusing your original umask fix with this
submitted patch:
https://bugs.internet2.edu/jira/browse/SSPCPP-281
That has a -u option for controlling the user, and I suppose having a group
option would make sense also.
It would help if folks could collaborate and suggest
Faidon Liambotis wrote on 2009-10-08:
Yes, I've verified that they work in my setup. As Scott said before,
there more than a dozen scenarios (literally!) and I'm not able to test
each one of them. However, they work in the couple that I've tried and
the fixes are with upstream's (Scott)
Florian Weimer wrote on 2009-10-07:
OK, will do. How should we handle the fact that the newer xmltooling is
breaking the old (as in, lenny) opensaml2/shibboleth-sp2?
We could theoretically add a Conflicts: to a new upload of xmltooling,
but this is unnecessary. We don't do this for every
Faidon Liambotis wrote on 2009-10-07:
Scott and Russ, under which conditions did you see the specific opensaml
code to be inlined on shibboleth-sp2?
The version of opensaml released on the Internet2 site, which is 2.2.1,
includes an inline version of the MetadataCredentialCriteria matches
Florian Weimer wrote on 2009-10-07:
Scott and Russ, under which conditions did you see the specific opensaml
code to be inlined on shibboleth-sp2?
Does shibboleth-sp2 create invoke a constructor of that class? Do the
compiled binaries contain any reference to the vtable?
There are numerous
Faidon Liambotis wrote on 2009-10-06:
I think the problem is in the following change:
* SECURITY: Correctly honor the use attribute of KeyDescriptor SAML
metadata to honor restrictions to signing or encryption. This is a
partial fix; the complete fix also requires a new version
Russ Allbery wrote on 2009-10-06:
Ack, I'm sorry. I didn't realize that, so yes, that will indeed be a
problem.
Sorry, I didn't understand that the fixes were being published separately,
since I was reviewing them simultaneously.
As it stands, I see now that the advisory I wrote should make
10 matches
Mail list logo
