| Summary: | ports-mgmt/pkg: >= 1.9.0 client certificate permission denied | ||
|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Eugene V. Lyapin <ev.lyapin> |
| Component: | Individual Port(s) | Assignee: | VK <vlad-fbsd> |
| Status: | Closed DUPLICATE | ||
| Severity: | Affects Some People | CC: | ev.lyapin |
| Priority: | --- | Flags: | bugzilla:
maintainer-feedback?
(pkg) |
| Version: | Latest | ||
| Hardware: | Any | ||
| OS: | Any | ||
Sorry, correct PKG_ENV (pkg.conf):
PKG_ENV {
SSL_CLIENT_CERT_FILE: "/usr/local/etc/ssl/repo/repo.kaspersky-labs.com-client.crt",
SSL_CLIENT_KEY_FILE: "/usr/local/etc/ssl/repo/repo.kaspersky-labs.com-client.key",
SSL_CA_CERT_FILE: "/usr/local/etc/ssl/repo/KLCA.pem",
}
*** This bug has been marked as a duplicate of bug 214357 *** |
Hello, After commiting new feature to 1.9.0: - Drop privileges in many commands pkg forks with user 'nobody' and have no access to SSL client certificate, trying to read it. data4# pkg -v 1.9.3 pkg.conf has following: ... PKG_ENV { SSL_CLIENT_CERT_FILE: "/usr/local/etc/ssl/repo/repo.domain.com-client.crt", SSL_CLIENT_KEY_FILE: "/usr/local/etc/ssl/repo/repo.domain.com-client.key", SSL_CA_CERT_FILE: "/usr/local/etc/ssl/repo/KLCA.pem", } ... The client private key has root:wheel(640) perms by security reasons): -rw-r----- 1 root wheel 1925 Mar 18 2015 /usr/local/etc/ssl/repo/repo.kaspersky-labs.com-client.key By using DEBUG=9 (pkg.conf) we get this: data4# pkg update -r FreeBSD DBG(1)[13206]> Setting env var: SSL_CLIENT_CERT_FILE DBG(1)[13206]> Setting env var: SSL_CLIENT_KEY_FILE DBG(1)[13206]> Setting env var: SSL_CA_CERT_FILE DBG(1)[13206]> PkgConfig: loading repositories in /etc/pkg/ DBG(1)[13206]> PkgConfig: loading repositories in /usr/local/etc/pkg/repos/ DBG(1)[13206]> PKgConfig: loading /usr/local/etc/pkg/repos/FreeBSD.conf DBG(1)[13206]> PkgConfig: parsing key 'FreeBSD' DBG(1)[13206]> PkgConfig: parsing repository object FreeBSD DBG(1)[13206]> PkgConfig: parsing key 'FreeBSD_stage' DBG(1)[13206]> PkgConfig: parsing repository object FreeBSD_stage DBG(1)[13206]> PkgConfig: parsing key 'FreeBSD_official' DBG(1)[13206]> PkgConfig: parsing repository object FreeBSD_official Updating FreeBSD repository catalogue... DBG(1)[13206]> PkgRepo: verifying update for FreeBSD DBG(4)[13206]> Pkgdb: running 'SELECT count(name) FROM sqlite_master WHERE type='table' AND name='repodata';' DBG(4)[13206]> Pkgdb: running 'select count(key) from repodata WHERE key = "packagesite" and value = 'pkg+https://repo.kaspersky-labs.com/packages/FreeBSD:10:amd64/161106/ftp'' Repository FreeBSD has a wrong packagesite, need to re-create database DBG(1)[13206]> PkgRepo: need forced update of FreeBSD DBG(1)[13206]> Pkgrepo, begin update of '/var/db/pkg/repo-FreeBSD.sqlite' DBG(1)[13207]> Fetch: fetching from: https://repo.kaspersky-labs.com/packages/FreeBSD:10:amd64/161106/ftp/meta.txz with opts "iv" looking up repo.kaspersky-labs.com connecting to repo.kaspersky-labs.com:443 SSL options: 83004bff Peer verification enabled Using CA cert file: /usr/local/etc/ssl/repo/KLCA.pem Using client cert file: /usr/local/etc/ssl/repo/repo.kaspersky-labs.com-client.crt Using client key file: /usr/local/etc/ssl/repo/repo.kaspersky-labs.com-client.key Could not load client key /usr/local/etc/ssl/repo/repo.kaspersky-labs.com-client.key ... chown nobody:wheel helps, but it's not secure. Best regards, Eugene