802-1x: take away linux file permissions for certificate files (!998) · Merge requests · NetworkManager / NetworkManager-ci

Thomas Haller requested to merge th/8021x-cert-permissions into master Mar 22, 2022

Currently NetworkManager runs with capability CAP_DAC_OVERRIDE. This is actually required for different things.

Among others, NetworkManager will look (read) certificate files, to figure out whether a password is needed. For example, "802-1x.private-key" might require a "802-1x.private-key-password".

NetworkManager is running as root user. But the certificate files are already owned by a different user (test:test). Change the file permissions too, so that NetworkManager could not read the files, if it did not have CAP_DAC_OVERRIDE.

For now, the tests will continue to work. But if you take away CAP_DAC_OVERRIDE, then they would start failing. This is the goal of the patch.

Admin message

802-1x: take away linux file permissions for certificate files

Merge request reports