jschmidb
commented
11 months ago Otherwise looks good to me.
Closed ifranzki closed 11 months ago
jschmidb
commented
11 months ago Otherwise looks good to me.
ifranzki
commented
11 months ago Small change to prefer env var IBMCA_DEBUG_PATH over the config setting (in case both are specified).
sharkcz
commented
11 months ago Small change to prefer env var IBMCA_DEBUG_PATH over the config setting (in case both are specified).
it makes sense, thanks
The IBMCA provider debug logs were written to the /var/log/ibmca/ directory, but this required that directory to be world-writable, because we don't know under which user an application runs that uses the provider. A world-writable directory under /var has security implications and should be avoided.
Change the default log directory to /tmp which is world-writable anyway. Additionally the log directory can now be configured via the 'debug-path' option in the IBMCA provider section of the OpenSSL config file, or via environment variable 'IBMCA_DEBUG_PATH'.
Closes: https://github.com/opencryptoki/openssl-ibmca/issues/107