Date: Wed, 09 Nov 2016 11:30:02 +0000 From: bugzilla-noreply@freebsd.org To: pkg@FreeBSD.org Subject: maintainer-feedback requested: [Bug 214358] ports-mgmt/pkg: >= 1.9.0 client certificate permission denied Message-ID: <bug-214358-32340-HmBLgdjsGm@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-214358-32340@https.bugs.freebsd.org/bugzilla/> References: <bug-214358-32340@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
Eugene V. Lyapin <ev.lyapin@gmail.com> has reassigned Bugzilla Automation <bugzilla@FreeBSD.org>'s request for maintainer-feedback to pkg@FreeBSD.org: Bug 214358: ports-mgmt/pkg: >=3D 1.9.0 client certificate permission denied https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D214358 --- Description --- Hello,=20 After commiting new feature to 1.9.0: - Drop privileges in many commands pkg forks with user 'nobody' and have no access to SSL client certificate, trying to read it. data4# pkg -v 1.9.3 pkg.conf has following: ... PKG_ENV { SSL_CLIENT_CERT_FILE: "/usr/local/etc/ssl/repo/repo.domain.com-client.c= rt", SSL_CLIENT_KEY_FILE: "/usr/local/etc/ssl/repo/repo.domain.com-client.ke= y", SSL_CA_CERT_FILE: "/usr/local/etc/ssl/repo/KLCA.pem", } ... The client private key has root:wheel(640) perms by security reasons): -rw-r----- 1 root wheel 1925 Mar 18 2015 /usr/local/etc/ssl/repo/repo.kaspersky-labs.com-client.key By using DEBUG=3D9 (pkg.conf) we get this: data4# pkg update -r FreeBSD DBG(1)[13206]> Setting env var: SSL_CLIENT_CERT_FILE DBG(1)[13206]> Setting env var: SSL_CLIENT_KEY_FILE DBG(1)[13206]> Setting env var: SSL_CA_CERT_FILE DBG(1)[13206]> PkgConfig: loading repositories in /etc/pkg/ DBG(1)[13206]> PkgConfig: loading repositories in /usr/local/etc/pkg/repos/ DBG(1)[13206]> PKgConfig: loading /usr/local/etc/pkg/repos/FreeBSD.conf DBG(1)[13206]> PkgConfig: parsing key 'FreeBSD' DBG(1)[13206]> PkgConfig: parsing repository object FreeBSD DBG(1)[13206]> PkgConfig: parsing key 'FreeBSD_stage' DBG(1)[13206]> PkgConfig: parsing repository object FreeBSD_stage DBG(1)[13206]> PkgConfig: parsing key 'FreeBSD_official' DBG(1)[13206]> PkgConfig: parsing repository object FreeBSD_official Updating FreeBSD repository catalogue... DBG(1)[13206]> PkgRepo: verifying update for FreeBSD DBG(4)[13206]> Pkgdb: running 'SELECT count(name) FROM sqlite_master WHERE type=3D'table' AND name=3D'repodata';' DBG(4)[13206]> Pkgdb: running 'select count(key) from repodata WHERE key =3D "packagesite" and value =3D 'pkg+https://repo.kaspersky-labs.com/packages/FreeBSD:10:amd64/161106/ftp'' Repository FreeBSD has a wrong packagesite, need to re-create database DBG(1)[13206]> PkgRepo: need forced update of FreeBSD DBG(1)[13206]> Pkgrepo, begin update of '/var/db/pkg/repo-FreeBSD.sqlite' DBG(1)[13207]> Fetch: fetching from: https://repo.kaspersky-labs.com/packages/FreeBSD:10:amd64/161106/ftp/meta.t= xz with opts "iv" looking up repo.kaspersky-labs.com connecting to repo.kaspersky-labs.com:443 SSL options: 83004bff Peer verification enabled Using CA cert file: /usr/local/etc/ssl/repo/KLCA.pem Using client cert file: /usr/local/etc/ssl/repo/repo.kaspersky-labs.com-client.crt Using client key file: /usr/local/etc/ssl/repo/repo.kaspersky-labs.com-client.key Could not load client key /usr/local/etc/ssl/repo/repo.kaspersky-labs.com-client.key ... chown nobody:wheel helps, but it's not secure. Best regards, Eugene
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-214358-32340-HmBLgdjsGm>