The old database explicitly protected the NSS database files with user rw and all other's no access. At least the key DB, and preferably the others need this protection as well.
Created attachment 346705 [details] [diff] [review] preliminary patch, comments welcome This patch has only been tested on Linux. It needs to be tested on a few other platforms, particularly since it is not using our normal porting layer (NSPR), since some of the required NSPR functions are missing.
Created attachment 351481 [details] [diff] [review] Set proper mode on NSS db files. This patch works on both Linux and Windows (the latter doesn't actually have any modes).
Comment on attachment 351481 [details] [diff] [review] Set proper mode on NSS db files. patch is ready for review.
Comment on attachment 351481 [details] [diff] [review] Set proper mode on NSS db files. Bob, I have two issues with this patch: 1. Windows does have an approximate equivalent to Unix modes. NSPR knows how to set Windows' security descriptors when you pass Unix mode flags to PR_OpenFile, PR_OpenFileUTF16, or PR_MakeDir. See http://mxr.mozilla.org/security/source/nsprpub/pr/src/md/windows/w95io.c#245 http://mxr.mozilla.org/security/source/nsprpub/pr/src/md/windows/w95io.c#1075 http://mxr.mozilla.org/security/source/nsprpub/pr/src/md/windows/w95io.c#1228 http://mxr.mozilla.org/security/source/nsprpub/pr/src/md/windows/ntio.c#2148 http://mxr.mozilla.org/security/source/nsprpub/pr/src/md/windows/ntio.c#3197 http://mxr.mozilla.org/security/source/nsprpub/pr/src/io/prfile.c#386 http://mxr.mozilla.org/security/source/nsprpub/pr/src/io/prfile.c#800 http://mxr.mozilla.org/security/source/nsprpub/pr/src/io/prdir.c#93 Now, it appears to be true that NSPR doesn't offer a chmod-like function, but perhaps it should. In any case, I think it is appropriate for NSS to use similar logic to that used by NSPR for mapping unix file permissions to Windows security descriptors, whether it does that by calling a function in NSPR, or by doing the work itself. 2. On Windows, mode 0600 is frequently a problem. It's better to use mode 0660 as the default on Windows.
So I can go 2 ways here, I can use windows own posix mappings and call chmod and open directly with 0600, or we can say on windows, it's better to set 660, which is default. I traced what we are doing in the old dbm code, and we pass 0600 to dbopen(), which on windows eventually maps to the normal libc open with 0600. Which patch should I attach: 1) that never messes with mode at all on Windows neither pkcs11.txt nor cert & key databases. --- or ---- 2) one that uses windows libc mapping and passes 0600 for both pkcs11.txt and the cert & key databases. bob
Actually the current patch does option 2 above.
Comment on attachment 351481 [details] [diff] [review] Set proper mode on NSS db files. I guess there's no good solution for windows. :( r=nelson
It appears that this checkin has broken the build on Windows. Problem is: chmod is undeclared. I have committed a trivial fix. Checking in softoken/sdb.c; new revision: 1.10; previous revision: 1.9 Checking in softoken/sftkmod.c; new revision: 1.4; previous revision: 1.3
patch is in with nelsons correction for windows.
Comment on attachment 351481 [details] [diff] [review] Set proper mode on NSS db files. >+/* same as fopen, except it doesn't use umask, but explicit */ Nit: this comment is misleading because umask is still used. The file access modes for the new file are 0600 & ~umask.' See http://www.opengroup.org/onlinepubs/000095399/functions/open.html under "O_CREAT": ... and the access permission bits (see <sys/stat.h>) of the file mode shall be set to the value of the third argument taken as type mode_t modified as follows: a bitwise AND is performed on the file-mode bits and the corresponding bits in the complement of the process' file mode creation mask.