Fixing NSS and p11-kit in Fedora (and beyond)
Stef Walter
stefw at redhat.com
Fri Dec 12 03:02:58 PST 2014
On 12.12.2014 10:48, David Woodhouse wrote:
> On Fri, 2014-12-12 at 09:22 +0100, Stef Walter wrote:
>> On 11.12.2014 10:12, David Woodhouse wrote:
>>> I'd love to have a Fedora Feature in F22 for PKCS#11, where keys+certs
>>> from installed PKCS#11 modules are expected to Just Work⢠in all
>>> applications that can use certificates. Using consistent PKCS#11 URIs
>>> where appropriate. Even if we aren't ready for a Feature, I'd love to
>>> make some more progress in that direction. Obviously none of this is
>>> really Fedora-specific, but if we can get it right in Fedora (as we did
>>> for the trust stuff), other distributions can follow.
>>
>> I believe there's an open process for proposing Fedora Features and I
>> think it's going on right now. But I agree that doing all of this in a
>> few months is a bit much to bite off, even for someone as tireless as
>> you :D
>
> Yeah. I'm severely tempted at least to file an overall tracker bug for
> the "feature", and file individual bugs against all the packages that
> need to be "fixed" to comply with the vision. It'll make it much easier
> to track. Any objections?
There's nothing to object to. That makes sense.
>> Note that /etc/pki/nssdb is also not completely safe on multi-user
>> systems. One user can easily lock the database and prevent any other
>> user from doing NSS crypto with that database. Correct me if I'm wrong.
>
> Bob knows best, but I'm not sure I recognise that problem. The database
> in /etc/pki/nssdb is read-only, so I don't think unprivileged users can
> do *anything* to screw with others' access to it.
It is possible to flock or fcntl(FD_SETLK) a file that you don't own,
and that prevents anyone else from getting an exclusive/write lock on
it. Crazy ... put it on the pile of shitty unfixable security issues
with Linux.
Simple demo with flock():
$ sudo touch /etc/test
$ flock --shared /etc/test sleep 1000 &
$ sudo flock --exclusive /etc/test echo "worked"
sqlite uses fcntl, although it does not block indefinitely on the lock.
It exits after a short timeout. So a little program like this run by a
user, can cause other NSS access to /etc/pki/nssdb/cert9.db to fail.
#include <err.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int
main(void) {
struct flock l = { .l_type = F_RDLCK, .l_whence = SEEK_SET, .l_start =
0, .l_len = 0 };
int f = open("/etc/pki/nssdb/cert9.db", O_RDONLY, 0);
if (f < 0)
err(1, "open");
if (fcntl (f, F_SETLK, &l) < 0)
err(1, "fcntl");
printf ("locked\n");
sleep (100000);
return 0;
}
$ sudo certutil -d sql:/etc/pki/nssdb -L
certutil: function failed: SEC_ERROR_PKCS11_GENERAL_ERROR: A PKCS #11
module returned CKR_GENERAL_ERROR, indicating that an unrecoverable
error has occurred.
At a fundamental level it appears that a database which uses advisory
locking may not be shared by different security contexts (read users).
Stef
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/p11-glue/attachments/20141212/5b2bc52d/attachment.sig>
More information about the p11-glue
mailing list