Bug 214358 - ports-mgmt/pkg: >= 1.9.0 client certificate permission denied
Summary: ports-mgmt/pkg: >= 1.9.0 client certificate permission denied
Status: Closed DUPLICATE of bug 214357
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: VK
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-09 11:30 UTC by Eugene V. Lyapin
Modified: 2016-11-09 11:53 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (pkg)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eugene V. Lyapin 2016-11-09 11:30:02 UTC
Hello, 

After commiting new feature to 1.9.0:

- Drop privileges in many commands

pkg forks with user 'nobody' and have no access to SSL client certificate, trying to read it.

data4# pkg -v
1.9.3

pkg.conf has following:

...

PKG_ENV {
    SSL_CLIENT_CERT_FILE: "/usr/local/etc/ssl/repo/repo.domain.com-client.crt",
    SSL_CLIENT_KEY_FILE: "/usr/local/etc/ssl/repo/repo.domain.com-client.key",
    SSL_CA_CERT_FILE: "/usr/local/etc/ssl/repo/KLCA.pem",

}

...

The client private key has root:wheel(640) perms by security reasons):

-rw-r-----  1 root  wheel  1925 Mar 18  2015 /usr/local/etc/ssl/repo/repo.kaspersky-labs.com-client.key

By using DEBUG=9 (pkg.conf) we get this:

data4# pkg update -r FreeBSD
DBG(1)[13206]> Setting env var: SSL_CLIENT_CERT_FILE
DBG(1)[13206]> Setting env var: SSL_CLIENT_KEY_FILE
DBG(1)[13206]> Setting env var: SSL_CA_CERT_FILE
DBG(1)[13206]> PkgConfig: loading repositories in /etc/pkg/
DBG(1)[13206]> PkgConfig: loading repositories in /usr/local/etc/pkg/repos/
DBG(1)[13206]> PKgConfig: loading /usr/local/etc/pkg/repos/FreeBSD.conf
DBG(1)[13206]> PkgConfig: parsing key 'FreeBSD'
DBG(1)[13206]> PkgConfig: parsing repository object FreeBSD
DBG(1)[13206]> PkgConfig: parsing key 'FreeBSD_stage'
DBG(1)[13206]> PkgConfig: parsing repository object FreeBSD_stage
DBG(1)[13206]> PkgConfig: parsing key 'FreeBSD_official'
DBG(1)[13206]> PkgConfig: parsing repository object FreeBSD_official
Updating FreeBSD repository catalogue...
DBG(1)[13206]> PkgRepo: verifying update for FreeBSD
DBG(4)[13206]> Pkgdb: running 'SELECT count(name) FROM sqlite_master WHERE type='table' AND name='repodata';'
DBG(4)[13206]> Pkgdb: running 'select count(key) from repodata WHERE key = "packagesite" and value = 'pkg+https://repo.kaspersky-labs.com/packages/FreeBSD:10:amd64/161106/ftp''
Repository FreeBSD has a wrong packagesite, need to re-create database
DBG(1)[13206]> PkgRepo: need forced update of FreeBSD
DBG(1)[13206]> Pkgrepo, begin update of '/var/db/pkg/repo-FreeBSD.sqlite'
DBG(1)[13207]> Fetch: fetching from: https://repo.kaspersky-labs.com/packages/FreeBSD:10:amd64/161106/ftp/meta.txz with opts "iv"
looking up repo.kaspersky-labs.com
connecting to repo.kaspersky-labs.com:443
SSL options: 83004bff
Peer verification enabled
Using CA cert file: /usr/local/etc/ssl/repo/KLCA.pem
Using client cert file: /usr/local/etc/ssl/repo/repo.kaspersky-labs.com-client.crt
Using client key file: /usr/local/etc/ssl/repo/repo.kaspersky-labs.com-client.key
Could not load client key /usr/local/etc/ssl/repo/repo.kaspersky-labs.com-client.key
...

chown nobody:wheel helps, but it's not secure.

Best regards,
Eugene
Comment 1 Eugene V. Lyapin 2016-11-09 11:33:11 UTC
Sorry, correct PKG_ENV (pkg.conf):

PKG_ENV {
    SSL_CLIENT_CERT_FILE: "/usr/local/etc/ssl/repo/repo.kaspersky-labs.com-client.crt",
    SSL_CLIENT_KEY_FILE: "/usr/local/etc/ssl/repo/repo.kaspersky-labs.com-client.key",
    SSL_CA_CERT_FILE: "/usr/local/etc/ssl/repo/KLCA.pem",

}
Comment 2 VK 2016-11-09 11:46:33 UTC
*** This bug has been marked as a duplicate of bug 214357 ***