-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Removing /var/cache/tang breaks Tang #24
Comments
We can probably solve this problem with this advice: |
This would only solve the "no permissions to create" part, no? |
I agree the real problem is different here: Any application should work when their cache data is removed. That's why it is called a |
Hi, I have not tried the patch, but if it resolves the issue, it would help other distros to benefit from it ☺ |
So why not include this patch? Is there any news? IMHO this cache directory is making securing the tang server harder than it should be. Is the cache directory itself security-sensitive? I.e. can I run a tang server only with the cache and it is valid and can be used for encryption?
In any case, I just see no advantage in using this temp dir as an intermediate step. As the redhat patch also shows, this may cause problems and is likely the only reason tang depends on systemd unit to trigger all this – which is not needed if tang can do it itself. So to have "one point of trust/failure" I'd also argue not to spread the key material in different directories, but keep it in one place. |
Thanks @cedricbu and @rugk for the helpful pointers. In my docker image (https://github.com/padhi-homelab/docker_tang) I have applied the patch and removed this cache directory (and |
I will prepare a PR for the patch. |
This effectively removes the cache directory -- usually /var/cache/tang --, which had pre-computed files with signed advertisements and JWK with keys for deriving new keys. This computation was done by the tangd-update script, which has also been removed in this commit. We relied on systemd to run this script whenever the JWK dir -- usually /var/db/tang, which is where the actual keys are located -- changed, to keep the cache directory updated, but this is sometimes unreliable, causing issues like the ones reported in latchset#23 and latchset#24. As of now, tang performs these computations itself and does not depend on external scripts to make sure it has reliable information regarding its keys. Tests added as well. Resolves: latchset#23 Resolves: latchset#24
We currently rely on the tangd-update script to read the keys and generate signed advertisements as well as JWKs for key derivation. Whenever there is a change in the directory containing the actual keys, we run tangd-update through a systemd file watching mechanism, so that we can have a cache directory with updated advertisements + JWKs. As reported in latchset#23 and latchset#24, this mechanism can be unreliable in certain situations, and having up-to-date information on the keys that are available is critical to tang, so the idea here is to remove this dependency on external scripts (e.g. tangd-update) and move this computation to tang itself. In this commit we add the related functions for key manipulation so that in a next step we can start using it in tang.
Use the key manipulation functions added in src/keys.{c|h} in tangd. This effectively removes the need for a cache directory -- usually /var/cache/tang --, which contained pre-computed files with signed advertisements and JWK with keys for deriving new keys. This computation was done by the tangd-update script, which has also been removed in this commit. We relied on systemd to run this script whenever the JWK dir -- usually /var/db/tang, which is where the actual keys are located -- changed, to keep the cache directory updated, but this is sometimes unreliable, causing issues like the ones reported in latchset#23 and latchset#24. As of now, tang performs these computations itself and does not depend on external scripts to make sure it has reliable information regarding its keys.
We currently rely on the tangd-update script to read the keys and generate signed advertisements as well as JWKs for key derivation. Whenever there is a change in the directory containing the actual keys, we run tangd-update through a systemd file watching mechanism, so that we can have a cache directory with updated advertisements + JWKs. As reported in latchset#23 and latchset#24, this mechanism can be unreliable in certain situations, and having up-to-date information on the keys that are available is critical to tang, so the idea here is to remove this dependency on external scripts (e.g. tangd-update) and move this computation to tang itself. In this commit we add the related functions for key manipulation so that in a next step we can start using it in tang.
Use the key manipulation functions added in src/keys.{c|h} in tangd. This effectively removes the need for a cache directory -- usually /var/cache/tang --, which contained pre-computed files with signed advertisements and JWK with keys for deriving new keys. This computation was done by the tangd-update script, which has also been removed in this commit. We relied on systemd to run this script whenever the JWK dir -- usually /var/db/tang, which is where the actual keys are located -- changed, to keep the cache directory updated, but this is sometimes unreliable, causing issues like the ones reported in latchset#23 and latchset#24. As of now, tang performs these computations itself and does not depend on external scripts to make sure it has reliable information regarding its keys.
We currently rely on the tangd-update script to read the keys and generate signed advertisements as well as JWKs for key derivation. Whenever there is a change in the directory containing the actual keys, we run tangd-update through a systemd file watching mechanism, so that we can have a cache directory with updated advertisements + JWKs. As reported in latchset#23 and latchset#24, this mechanism can be unreliable in certain situations, and having up-to-date information on the keys that are available is critical to tang, so the idea here is to remove this dependency on external scripts (e.g. tangd-update) and move this computation to tang itself. In this commit we add the related functions for key manipulation so that in a next step we can start using it in tang.
Use the key manipulation functions added in src/keys.{c|h} in tangd. This effectively removes the need for a cache directory -- usually /var/cache/tang --, which contained pre-computed files with signed advertisements and JWK with keys for deriving new keys. This computation was done by the tangd-update script, which has also been removed in this commit. We relied on systemd to run this script whenever the JWK dir -- usually /var/db/tang, which is where the actual keys are located -- changed, to keep the cache directory updated, but this is sometimes unreliable, causing issues like the ones reported in latchset#23 and latchset#24. As of now, tang performs these computations itself and does not depend on external scripts to make sure it has reliable information regarding its keys. Additionally, tang also creates a new pair of keys if none exist.
Use the key manipulation functions added in src/keys.{c|h} in tangd. This effectively removes the need for a cache directory -- usually /var/cache/tang --, which contained pre-computed files with signed advertisements and JWK with keys for deriving new keys. This computation was done by the tangd-update script, which has also been removed in this commit. We relied on systemd to run this script whenever the JWK dir -- usually /var/db/tang, which is where the actual keys are located -- changed, to keep the cache directory updated, but this is sometimes unreliable, causing issues like the ones reported in latchset#23 and latchset#24. As of now, tang performs these computations itself and does not depend on external scripts to make sure it has reliable information regarding its keys. Additionally, tang also creates a new pair of keys if none exist.
We currently rely on the tangd-update script to read the keys and generate signed advertisements as well as JWKs for key derivation. Whenever there is a change in the directory containing the actual keys, we run tangd-update through a systemd file watching mechanism, so that we can have a cache directory with updated advertisements + JWKs. As reported in latchset#23 and latchset#24, this mechanism can be unreliable in certain situations, and having up-to-date information on the keys that are available is critical to tang, so the idea here is to remove this dependency on external scripts (e.g. tangd-update) and move this computation to tang itself. In this commit we add the related functions for key manipulation so that in a next step we can start using it in tang.
Use the key manipulation functions added in src/keys.{c|h} in tangd. This effectively removes the need for a cache directory -- usually /var/cache/tang --, which contained pre-computed files with signed advertisements and JWK with keys for deriving new keys. This computation was done by the tangd-update script, which has also been removed in this commit. We relied on systemd to run this script whenever the JWK dir -- usually /var/db/tang, which is where the actual keys are located -- changed, to keep the cache directory updated, but this is sometimes unreliable, causing issues like the ones reported in latchset#23 and latchset#24. As of now, tang performs these computations itself and does not depend on external scripts to make sure it has reliable information regarding its keys. Additionally, tang also creates a new pair of keys if none exist.
Use the key manipulation functions added in src/keys.{c|h} in tangd. This effectively removes the need for a cache directory -- usually /var/cache/tang --, which contained pre-computed files with signed advertisements and JWK with keys for deriving new keys. This computation was done by the tangd-update script, which has also been removed in this commit. We relied on systemd to run this script whenever the JWK dir -- usually /var/db/tang, which is where the actual keys are located -- changed, to keep the cache directory updated, but this is sometimes unreliable, causing issues like the ones reported in latchset#23 and latchset#24. As of now, tang performs these computations itself and does not depend on external scripts to make sure it has reliable information regarding its keys. Additionally, tang also creates a new pair of keys if none exist.
We currently rely on the tangd-update script to read the keys and generate signed advertisements as well as JWKs for key derivation. Whenever there is a change in the directory containing the actual keys, we run tangd-update through a systemd file watching mechanism, so that we can have a cache directory with updated advertisements + JWKs. As reported in #23 and #24, this mechanism can be unreliable in certain situations, and having up-to-date information on the keys that are available is critical to tang, so the idea here is to remove this dependency on external scripts (e.g. tangd-update) and move this computation to tang itself. In this commit we add the related functions for key manipulation so that in a next step we can start using it in tang.
Use the key manipulation functions added in src/keys.{c|h} in tangd. This effectively removes the need for a cache directory -- usually /var/cache/tang --, which contained pre-computed files with signed advertisements and JWK with keys for deriving new keys. This computation was done by the tangd-update script, which has also been removed in this commit. We relied on systemd to run this script whenever the JWK dir -- usually /var/db/tang, which is where the actual keys are located -- changed, to keep the cache directory updated, but this is sometimes unreliable, causing issues like the ones reported in #23 and #24. As of now, tang performs these computations itself and does not depend on external scripts to make sure it has reliable information regarding its keys. Additionally, tang also creates a new pair of keys if none exist.
Applications should survive the removal of their data in
/var/cache/
and regenerate them as necessary.With Tang, one needs to explicitly run
tangd-update
afterrm -rf /var/cache/tang
. And even then,tangd-update
fails to create/var/cache/tang
since it doesn't run as root.The text was updated successfully, but these errors were encountered: