Univention Bugzilla – Bug 34081
Wrong permissions after renewing complete certificate chain
Last modified: 2023-03-25 06:51:08 CET
The permissions for /etc/univention/ssl and subfiles should be checked before and after a certificate chain renewal. +++ This bug was initially created as a clone of Bug #31941 +++
See also Bug #34082
Please check if a test case is possible.
Created attachment 6303 [details] permission dicts for /etc/univention/ssl directory
A test case is possible to produce, but still to check if the permissions are correct, it is needed to set a rule for each directory/file in the directory tree of /etc/univention/ssl. A new script is added to 00_base with the name "101_permissions_after_renew_certificate_chain" with the basic steps needed to test this case. In the attached file "permission.dicts" I put two cases where the script is run and produced a dictionary containing all files and their permissions in the format declared on the top of the attachment. Please review and advise.
A new script is created with the name "101_permissions_after_renew_ssl_certificate" to check the read permissions for all files under "/etc/univention/ssl" before and after ssl certificate renewal. Including: 1- DC Backup Hosts should be able to read all files. 2- Every host should be able to read its own certificate files. 3- All users should be able to read only "/etc/univention/ssl/ucsCA/CAcert.pem", serial and index files. This script fails if any of the above was not met, see Bug #36557
New tests added to include checking the write permissions for: 1- Group "DC Backup Hosts" should not have write access to any file. ( this fails due to Bug #34082, and the lines in the script are commented until that bug is closed ) 2- Others should not have write access to any file.
Please skip /etc/univention/ssl/unassigned-hostname.unassigned-domain/* in ucs-test for UCS 3.2-4 and UCS 4.0-0.
(In reply to Sönke Schwardt-Krummrich from comment #7) > Please skip /etc/univention/ssl/unassigned-hostname.unassigned-domain/* in > ucs-test for UCS 3.2-4 and UCS 4.0-0. Done.
Please disable this test until bug 36904 is fixed.
(In reply to Sönke Schwardt-Krummrich from comment #9) > Please disable this test until bug 36904 is fixed. Done.
Jenkins regression: 01_base.101_permissions_after_renew_ssl_certificate @ DC Slave > 'openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -out /etc/univention/ssl/ucsCA/NewCAcert.pem -days 1000 -passin file://etc/univention/ssl/password -signkey /etc/univention/ssl/ucsCA/private/CAkey.pem' > Can't open file //etc/univention/ssl/password Only the DC Master and DC Backup have a complete /etc/univention/ssl/; all other system roles only have their and the CAs certificate. Accessing the "password" file there will never work.
(In reply to Philipp Hahn from comment #11) > Jenkins regression: 01_base.101_permissions_after_renew_ssl_certificate @ DC > Slave > > 'openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -out /etc/univention/ssl/ucsCA/NewCAcert.pem -days 1000 -passin file://etc/univention/ssl/password -signkey /etc/univention/ssl/ucsCA/private/CAkey.pem' > > Can't open file //etc/univention/ssl/password > > Only the DC Master and DC Backup have a complete /etc/univention/ssl/; all > other system roles only have their and the CAs certificate. Accessing the > "password" file there will never work. The mentioned test script is restricted to run on domaincontroller_master only, and a new script "101_initial_ssl_certificate_permissions" is written for newly opened bug #37520 to cover checking the initial permissions on all roles.
For this bug is no separate QA needed.