Currently the client certificate database will be created in /tmp by default. If there's a problem or a mistake when configuring the security of the database, it could be left exposed to other users.
It would be better to create the database in the home directory of the user executing pkispawn, for example ~/.pki/certs/<instance>. That way the database is automatically protected by the home directory.
Committed to 'master':
Per request, made the following code changes to 'pki/base/silent/templates/pki_silent.template':
diff --git a/base/silent/templates/pki_silent.template b/base/silent/templates/p index 27e4ae7..10b95ce 100755 --- a/base/silent/templates/pki_silent.template +++ b/base/silent/templates/pki_silent.template @@ -54,6 +54,10 @@ if [ "${MY_UID}" != "${ROOTUID}" ] && exit 255 fi +if [ -z "${HOME}" ]; then + printf "ERROR: The 'HOME' environment variable must be set!\n" + exit 255 +fi ############################################################################## @@ -78,7 +82,7 @@ fi ## PKI Silent Security Database Variables ## (e. g. - PKI Silent "browser" database) -pki_silent_security_database_repository="/tmp" +pki_silent_security_database_repository="${HOME}/.pki/certs" pki_silent_security_database_password= ## PKI Security Domain Variables
Per request, removed 'pki/base/silent/templates/subca_silent.template'.
Metadata Update from @edewata: - Issue assigned to mharmsen - Issue set to the milestone: 10.0.0-0.X.rc1
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/969
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Log in to comment on this ticket.