[Bug 214357] ports-mgmt/pkg: >= 1.9.0 client certificate permission denied

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Wed Nov 9 11:29:06 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=214357

            Bug ID: 214357
           Summary: ports-mgmt/pkg: >= 1.9.0 client certificate permission
                    denied
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: pkg at FreeBSD.org
          Reporter: ev.lyapin at gmail.com
             Flags: maintainer-feedback?(pkg at FreeBSD.org)
          Assignee: pkg at FreeBSD.org

Created attachment 176814
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=176814&action=edit
pkg.conf

Hello, 

After commiting new feature to 1.9.0:

- Drop privileges in many commands

pkg forks with user 'nobody' and have no access to SSL client certificate,
trying to read it.

data4# pkg -v
1.9.3

pkg.conf has following:

...

PKG_ENV {
    SSL_CLIENT_CERT_FILE: "/usr/local/etc/ssl/repo/repo.domain.com-client.crt",
    SSL_CLIENT_KEY_FILE: "/usr/local/etc/ssl/repo/repo.domain.com-client.key",
    SSL_CA_CERT_FILE: "/usr/local/etc/ssl/repo/KLCA.pem",

}

...

The client private key has root:wheel(640) perms by security reasons):

-rw-r-----  1 root  wheel  1925 Mar 18  2015
/usr/local/etc/ssl/repo/repo.kaspersky-labs.com-client.key

By using DEBUG=9 (pkg.conf) we get this:

data4# pkg update -r FreeBSD
DBG(1)[13206]> Setting env var: SSL_CLIENT_CERT_FILE
DBG(1)[13206]> Setting env var: SSL_CLIENT_KEY_FILE
DBG(1)[13206]> Setting env var: SSL_CA_CERT_FILE
DBG(1)[13206]> PkgConfig: loading repositories in /etc/pkg/
DBG(1)[13206]> PkgConfig: loading repositories in /usr/local/etc/pkg/repos/
DBG(1)[13206]> PKgConfig: loading /usr/local/etc/pkg/repos/FreeBSD.conf
DBG(1)[13206]> PkgConfig: parsing key 'FreeBSD'
DBG(1)[13206]> PkgConfig: parsing repository object FreeBSD
DBG(1)[13206]> PkgConfig: parsing key 'FreeBSD_stage'
DBG(1)[13206]> PkgConfig: parsing repository object FreeBSD_stage
DBG(1)[13206]> PkgConfig: parsing key 'FreeBSD_official'
DBG(1)[13206]> PkgConfig: parsing repository object FreeBSD_official
Updating FreeBSD repository catalogue...
DBG(1)[13206]> PkgRepo: verifying update for FreeBSD
DBG(4)[13206]> Pkgdb: running 'SELECT count(name) FROM sqlite_master WHERE
type='table' AND name='repodata';'
DBG(4)[13206]> Pkgdb: running 'select count(key) from repodata WHERE key =
"packagesite" and value =
'pkg+https://repo.kaspersky-labs.com/packages/FreeBSD:10:amd64/161106/ftp''
Repository FreeBSD has a wrong packagesite, need to re-create database
DBG(1)[13206]> PkgRepo: need forced update of FreeBSD
DBG(1)[13206]> Pkgrepo, begin update of '/var/db/pkg/repo-FreeBSD.sqlite'
DBG(1)[13207]> Fetch: fetching from:
https://repo.kaspersky-labs.com/packages/FreeBSD:10:amd64/161106/ftp/meta.txz
with opts "iv"
looking up repo.kaspersky-labs.com
connecting to repo.kaspersky-labs.com:443
SSL options: 83004bff
Peer verification enabled
Using CA cert file: /usr/local/etc/ssl/repo/KLCA.pem
Using client cert file:
/usr/local/etc/ssl/repo/repo.kaspersky-labs.com-client.crt
Using client key file:
/usr/local/etc/ssl/repo/repo.kaspersky-labs.com-client.key
Could not load client key
/usr/local/etc/ssl/repo/repo.kaspersky-labs.com-client.key
...

chown nobody:wheel helps, but it's not secure.

Best regards,
Eugene

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-pkg mailing list