TSS data dir permission problem

Fredrik Ternerot


there is a problem with permission on the libibmtss data directory
(TPM_DATA_DIR) when the engine is used by a service (like Apache
httpd) that loads the key as root but uses the key as another user. In
this case, the data dir is created by the engine at the time when the
key is loaded, and thus root becomes the owner of the dir, and then
later when the other user is trying to use (create files in) this dir
it will fail due to access restrictions.

One possible solution would be to simply allow any user to create
files in this directory by chmod 0777 at creation time (
tpm2_set_unique_tssdir()). Since any sensitive data in this dir is
encrypted it may be an acceptable solution.

Another solution would be to allow the service that are using the
engine to decide on the group ownership for this directory, e.g. by
setting an environment variable with the group name before loading the
key. If the environment variable is set, the engine chown to the new
group and chmod 0770. This is a bit more complex but would keep the
current behaviour when running as the same user all the time (and
hence not setting the environment variable). One drawback with this
solution is that the user of the engine needs to know about it and
actually get the service to set the environment variable.

What do you think? Are there any better options on how to handle this?

Fredrik Ternerot