Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#995156: easy-rsa: vars Autodetection
75 views
Skip to first unread message
Mathieu Espagnacq
Sep 27, 2021, 5:30:05 AM9/27/21
to
Package: easy-rsa
Version: 3.0.8-1
Severity: normal
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
Upgrading to Debian 11
* What exactly did you do (or not do) that was effective (or
ineffective)?
Creating new client cert
* What was the outcome of this action?
New cert whitout option from vars file
* What outcome did you expect instead?
New cert created with option from vars file.
Before upgrade i've created cadir usign "make-cadir" which create some
files and directory including a file named vars. Which i modified to my
needs.
After upgrade, options in this file were not used anymore (and the
message "Note: using Easy-RSA configuration from: " were not displayed
anymore).
I've made some test, using make-cadir on Debian 11, a file named vars
is still created but not used.
I've made some research on vars Autodetection using
/usr/share/doc/easy-rsa/doc/. Informations from EasyRSA-Advanced.md look
identical from Debian 10 and Debian 11 about vars Autodetection :
#### vars Autodetection
A 'vars' file is a file named simply `vars` (without an extension) that
Easy-RSA will source for configuration. This file is specifically designed
*not* to replace variables that have been set with a higher-priority method
such as CLI opts or env-vars.
The following locations are checked, in this order, for a vars file. Only the
first one found is used:
1. The file referenced by the `--vars` CLI option
2. The file referenced by the env-var named `EASYRSA_VARS_FILE`
3. The directory referenced by the `EASYRSA_PKI` env-var
4. The default PKI directory at `$PWD/pki`
4. The directory referenced by the `EASYRSA` env-var
5. The directory containing the easyrsa program
Defining the env-var `EASYRSA_NO_VARS` will override the sourcing of the vars
file in all cases, including defining it subsequently as a global option.
I'm unsure 5. is still effective (or identical to previous version).
Maybe i've missed warning about this change in
https://metadata.ftp-master.debian.org/changelogs//main/e/easy-rsa/easy-rsa_3.0.8-1_changelog
and i apologize for this.
Regards,
m.e.
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 11.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-8-cloud-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages easy-rsa depends on:
ii openssl 1.1.1k-1+deb11u1
Versions of packages easy-rsa recommends:
ii opensc 0.21.0-1
easy-rsa suggests no packages.
-- no debconf information
Version: 3.0.8-1
Severity: normal
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
Upgrading to Debian 11
* What exactly did you do (or not do) that was effective (or
ineffective)?
Creating new client cert
* What was the outcome of this action?
New cert whitout option from vars file
* What outcome did you expect instead?
New cert created with option from vars file.
Before upgrade i've created cadir usign "make-cadir" which create some
files and directory including a file named vars. Which i modified to my
needs.
After upgrade, options in this file were not used anymore (and the
message "Note: using Easy-RSA configuration from: " were not displayed
anymore).
I've made some test, using make-cadir on Debian 11, a file named vars
is still created but not used.
I've made some research on vars Autodetection using
/usr/share/doc/easy-rsa/doc/. Informations from EasyRSA-Advanced.md look
identical from Debian 10 and Debian 11 about vars Autodetection :
#### vars Autodetection
A 'vars' file is a file named simply `vars` (without an extension) that
Easy-RSA will source for configuration. This file is specifically designed
*not* to replace variables that have been set with a higher-priority method
such as CLI opts or env-vars.
The following locations are checked, in this order, for a vars file. Only the
first one found is used:
1. The file referenced by the `--vars` CLI option
2. The file referenced by the env-var named `EASYRSA_VARS_FILE`
3. The directory referenced by the `EASYRSA_PKI` env-var
4. The default PKI directory at `$PWD/pki`
4. The directory referenced by the `EASYRSA` env-var
5. The directory containing the easyrsa program
Defining the env-var `EASYRSA_NO_VARS` will override the sourcing of the vars
file in all cases, including defining it subsequently as a global option.
I'm unsure 5. is still effective (or identical to previous version).
Maybe i've missed warning about this change in
https://metadata.ftp-master.debian.org/changelogs//main/e/easy-rsa/easy-rsa_3.0.8-1_changelog
and i apologize for this.
Regards,
m.e.
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 11.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-8-cloud-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages easy-rsa depends on:
ii openssl 1.1.1k-1+deb11u1
Versions of packages easy-rsa recommends:
ii opensc 0.21.0-1
easy-rsa suggests no packages.
-- no debconf information
Christoph Zechner
Nov 5, 2021, 6:20:03 AM11/5/21
to
Hi,
I ran into the same issue and found the culprit: a commit [1] which
intended to fix the problem with easyrsa in $PATH, due to pattern
matching in the shell variable that tries to detect the $EASYRSA value.
Please find attached my patch to fix this regression:
--- a/easyrsa 2021-11-05 10:21:02.783260266 +0100
+++ b/easyrsa 2021-11-05 10:22:12.591259497 +0100
@@ -1664,9 +1664,8 @@
vars=
# set up program path
- prog_file="$0"
+ prog_file="$(dirname $0)/$(basename $0)"
prog_file2="$(which -- "$prog_file" 2>/dev/null)" &&
prog_file="$prog_file2"
- prog_file2="$(readlink -f "$prog_file" 2>/dev/null)" &&
prog_file="$prog_file2"
prog_dir="${prog_file%/*}"
prog_vars="${prog_dir}/vars"
# set up PKI path
Otherwise, "$prog_file" ends up being empty and subsequently, the vars
file is not being sourced.
Cheers
Christoph
[1]
https://github.com/OpenVPN/easy-rsa/commit/52befc623fbf6fc9c1fbd29bfe32af2503e65b24
>
intended to fix the problem with easyrsa in $PATH, due to pattern
matching in the shell variable that tries to detect the $EASYRSA value.
Please find attached my patch to fix this regression:
--- a/easyrsa 2021-11-05 10:21:02.783260266 +0100
+++ b/easyrsa 2021-11-05 10:22:12.591259497 +0100
@@ -1664,9 +1664,8 @@
vars=
# set up program path
- prog_file="$0"
+ prog_file="$(dirname $0)/$(basename $0)"
prog_file2="$(which -- "$prog_file" 2>/dev/null)" &&
prog_file="$prog_file2"
- prog_file2="$(readlink -f "$prog_file" 2>/dev/null)" &&
prog_file="$prog_file2"
prog_dir="${prog_file%/*}"
prog_vars="${prog_dir}/vars"
# set up PKI path
Otherwise, "$prog_file" ends up being empty and subsequently, the vars
file is not being sourced.
Cheers
Christoph
[1]
https://github.com/OpenVPN/easy-rsa/commit/52befc623fbf6fc9c1fbd29bfe32af2503e65b24
>
Adrian Bunk
Mar 1, 2023, 12:10:04 PM3/1/23
to
On Tue, Feb 14, 2023 at 10:28:16PM +0100, Lee Garrett wrote:
> I'm bumping the bug severity because currently it will ignore
> security-relevant settings like keysize and algo, and the defaults are
> pretty weak.
Has anyone discussed this with upstream?
This seems to be an area with frequent changes upstream, adding a patch
that is not a backport from upstream might be a bad idea.
cu
Adrian
> I'm bumping the bug severity because currently it will ignore
> security-relevant settings like keysize and algo, and the defaults are
> pretty weak.
Has anyone discussed this with upstream?
This seems to be an area with frequent changes upstream, adding a patch
that is not a backport from upstream might be a bad idea.
cu
Adrian
0 new messages