[openssl-users] missing default /usr/local/ssl/openssl.cnf causes failure on AIX, warning on all others

Michael Wojcik Michael.Wojcik at microfocus.com
Thu Jan 22 21:15:42 UTC 2015

(Apologies for the top-post; Outlook does not deal properly with HTML email.)

If open, called by fopen, actually is setting EPERM, then one of the following should be true:

- /usr/local/ssl/openssl.cnf exists but the user does not have read permission on it
- Either /usr/local or /usr/local/ssl exists and is a directory, but the user does not have *execute* permission on it

Note that *read* permission on the directories is not necessary to open a file contained therein. Read permission on a directory is only required to enumerate the directory contents (for ls, find, etc). Execute permission on a directory, on the other hand, is traversal permission, and you need traversal permission along the path to open a file.

There are some other possibilities, such as ACLs (not commonly used in AIX, but available). Users who don't have traverse permission for /usr itself would have a hard time getting this far, so we can probably rule that out.

A run under truss might be enlightening.

From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of mclellan, dave
Sent: Thursday, January 22, 2015 15:00
To: openssl-users at openssl.org
Subject: Re: [openssl-users] missing default /usr/local/ssl/openssl.cnf causes failure on AIX, warning on all others

Thank you Rich.

The sentence you couldn't understand is my bad, s/b:

"In fact, on some, even non-AIX hosts, permissions would suggest that the permission error should be returned."


This message has been scanned for malware by Websense. www.websense.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150122/f997cffa/attachment.html>

More information about the openssl-users mailing list