-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default permissions for keystore #2850
Comments
The Setgid Bit is used. When the setgid (set group ID) bit is set on a directory, it affects the group ownership of newly created files and subdirectories within that directory. E.G:
Thus the created files do not have world writable permissions. |
The following applies because of
For non-standard paths where the upper-level directories of tpm2-tss don't exist, the directory creation is governed only by the umask if running by a root user. What was the reason to use |
Yes that's true. Especially for the user_dir it would be better not to rely on the umask value. For the directory /var/lib/tpm2-tss/system/keystore the Setgid bit should be set. |
The issue that I've encountered as per original findings. If /var/lib/tpm2_tss is not owned by tss group and The permissions in the following file are supposed to be for system/keystore: From actual experience, should be on tpm2_tss. |
I'm afraid I don't understand the point. Could you maybe explain it a bit more ? |
I just found that by default the keystore's directories are being created with
0777
(world writable!) permissions:https://github.com/tpm2-software/tpm2-tss/blob/master/src/tss2-fapi/ifapi_helpers.c#L1082
and being used in keystore population.
For example:
Aren't such permissions are too broad?
The text was updated successfully, but these errors were encountered: