Closed Bug 66939 Opened 24 years ago Closed 24 years ago

PSM 1.x can not change profiles.

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
1.0 Branch
Platform:
All
Mac System 8.5
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: javi, Assigned: javi)

Details

Attachments

(2 files)

patch to psmglue for profile switching
5.99 KB, patch
Details | Diff | Splinter Review
patch to psmserver for profile switching
2.26 KB, patch
Details | Diff | Splinter Review 
ccarlen has been working on implementing changing user profiles for embedding.  
He came across a case using PSM on the Mac where the lack of SECMOD_Shutdown 
causes profile switching to not work.

Mac PSM is in process and uses the loadable root certificate technology for its 
list of trusted roots.  When ccarlen went to re-initialize NSS after shutting it 
down before, NSS couldn't initialize properly because the shared library was 
already loaded and some problems arose.  (He knows more about the specifics of 
that problem.)

I worked around this problem by calling SECMOD_DeleteModule to delete the 
loadable root certs module.  It'd be nice to get a SECMOD_Shutdown so that 
different profiles using external smart cards can work without having to quit and 
re-start.

This isn't crucial for NSS 3.2 since we've found a workaround, but would be nice 
to have in futures versions of NSS going forward.
Two patches here:
(1) for psmglue which registers it as a profile change observer
(2) for psm server to allow it to be exited and restarted.

After applying both patches, it's close but not quite. Here's how to see the
problem using the secure site: https://www.verisign.com/.
(1) Using PPEmbed, have at least two different profiles.
(2) Delete the "Security" folder from each profile dir so to start fresh.
PPEmbed's profiles are located at <Hard Disk>Documents:PPEmbed:Profiles:
(3) Go to the above URL. It will work and the "Security" dir will be created
within the profile dir with these 3 files: Certificates7, Key Database3, and
Security Modules.
(4) Change to the other profile and try and visit the same site. It won't work
and the "Security" dir will be created in the other profile dir but with only
these files: Certificates7 and Key Database3.

If I visit the above URL with one profile, quit, visit it with the other
profile, it will work fine and I can then always switch between profiles without
restart. Basically, all 3 files must be in the "Security" dir to begin with or
it won't work.
ccarlen:  This is a bug for NSS, not PSM.  Create a PSM bug and attach the 
patches to that bug.
Since this has PSM patches attached, I'm making this a PSM bug.  Will open a new 
bug for NSS issues.
Assignee: relyea → javi
Summary: Need a SECMOD_Shutdown so that change profiles without having to re-start. → PSM 1.x can not change profiles.
Product->PSM
Component: Libraries → Daemon
Product: NSS → PSM
Version: 3.2 → 1.5
For NSS issues see Bug 67068
Turns out the problem is due to the fact that the SECMOD_ library in NSS can 
only be initialized once per process.  pk11util.c has a global variable that is 
checked in SECMO_init, and if it's non-NULL, the rest of the initialization is 
short-circuited.  That's why the "Security Modules" file doesn't get created for 
the second profile.  It's actually still using the "Security Modules" database 
from the first profile.

The loadable root certificates module loads up fine, so SSL does work.  If you 
were using smart cards on the system, then maybe this would be an issue, but I 
believe this should be OK for now.
ccarlen:  There is not enough time to spin a new NSS with the right fix.  In
essence, your users can only ever open one Security Modules database on the Mac.
 This doesn't affect functionality and would only be an issue if you were using
smart cards on your system.

I'm inclined to check-in the patches attached and mark the NSS bug 67068 as
FUTURE since this doesn't actually break SSL and really is a feature enhancement
request from NSS.
OK - That should be fine. Should we be alright with this on Win & Linux where
the mods to psmglue cause the psm app to exit? 
On non Mac platforms the new databases will be created.

(This assumes your test cases have succeeded on Win32 and Unix platforms.)
r=javi on these changes.
sr=mscott
Patch checked in.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Great Thanks!
No longer blocks: 64833
Verified per javier's comments.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Version: psm1.5 → 1.0 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: