On 2017-04-21 Marga Manterola <ma...@google.com> wrote: > On Fri, Apr 21, 2017 at 7:10 PM Andreas Metzler <ametz...@bebt.de> wrote: [...] >>> /etc/pkcs11 directory looks like this:
>>> $ ls -ld /etc/pkcs11 /etc/pkcs11/ >>> lrwxrwxrwx 1 root root 21 Jan 3 14:14 /etc/pkcs11 -> >>> /var/lib/opencryptoki >>> drwxrwx--- 8 root pkcs11 4096 Apr 21 10:33 /etc/pkcs11/ [...] >> Isn't this where the actual breakage is located? Afaik /etc should >> contain configuration files, not symlinks to unreadable empty >> directories. O are there special mitigating circumstances? > This is how the opencryptoki package is shipped: > http://sources.debian.net/src/opencryptoki/2.3.1%2Bdfsg-3/usr/lib/pkcs11/api/Makefile.am/?hl=47#L47 I know, I doublechecked, I was wondering about your opinion. ;-) > To be honest, I'm not sure if this is breaking policy or not. > https://www.debian.org/doc/debian-policy/ch-files.html#s-config-files seems > to say that symlinking is not ideal but possible. Doesn't talk about the > permissions. It *is* possible to have files in /etc/ that are not world > readable Policy allows symlinks pointing *to* files in /etc as workaround, not the other way round. > Regardless of this, I see no reason why p11-kit should be ok with the file > not existing but not ok with it not being readable by the current process. I will forward upstream. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
