Univention Bugzilla – Bug 50807
wrong permissions under /etc/univention/ssl/ucsCA/
Last modified: 2024-02-26 09:18:52 CET
Creating a computer account under devices -> computers results in wrong permissions under /etc/univention/ssl/ causing them not to sync to backup DC's. Ownership is changed to root:root and -rw-r----- The system diagnostics tool doesn't show any errors regarding file permissions but will eventually start showing errors about missing certificates on the backup dc's Logging in /var/log/univention/ssl-sync.log shows: rsync: send_files failed to open "/etc/univention/ssl/ucsCA/index.txt": Permission denied (13) rsync: send_files failed to open "/etc/univention/ssl/ucsCA/index.txt.attr": Permission denied (13) rsync: send_files failed to open "/etc/univention/ssl/ucsCA/index.txt.attr.old": Permission denied (13) rsync: send_files failed to open "/etc/univention/ssl/ucsCA/index.txt.old": Permission denied (13) rsync: send_files failed to open "/etc/univention/ssl/ucsCA/serial": Permission denied (13) rsync: send_files failed to open "/etc/univention/ssl/ucsCA/serial.old": Permission denied (13) rsync: send_files failed to open "/etc/univention/ssl/ucsCA/certs/06.pem": Permission denied (13) rsync: send_files failed to open "/etc/univention/ssl/ucsCA/certs/07.pem": Permission denied (13) rsync: send_files failed to open "/etc/univention/ssl/ucsCA/certs/08.pem": Permission denied (13) rsync: send_files failed to open "/etc/univention/ssl/ucsCA/certs/09.pem": Permission denied (13) rsync: send_files failed to open "/etc/univention/ssl/ucsCA/certs/0B.pem": Permission denied (13) rsync: send_files failed to open "/etc/univention/ssl/ucsCA/certs/0C.pem": Permission denied (13) rsync: send_files failed to open "/etc/univention/ssl/ucsCA/certs/0D.pem": Permission denied (13) rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1668) [generator=3.1.2] Could not chdir to home directory /dev/null: Not a directory Manually changing the permissions to the correct values will resolve this issue. However, creating a now computer account will reintroduce this issue.
I can't fully reproduce this. In my environment (UCS 4.4-3 Errata 443) I see the following: - the access rights for these files (0*.pem) are readable for the DC Backup group, so the sync to a DC Backup works - the group is not set to "DC Backup Hosts", this should be improved - the access rights aren't touched if hosts are created in LDAP I assume that there is "something additional" on the system where this Bug as occured. btw: I remove all the flags, those are meant to be set by a Univention employee.
Easy to reproduce as you have to run `univention-certificate` as user `root`: # find /etc/univention/ssl -not -group "DC Backup Hosts" -ls 1050772 4 -rw-r--r-- 1 root root 260 Mai 21 10:42 /etc/univention/ssl/ucsCA/index.txt 1050720 4 -rw-r--r-- 1 root DC Slave Hosts 2049 Mai 21 10:39 /etc/univention/ssl/ucsCA/CAcert.pem 1050773 4 -rw-r--r-- 1 root root 20 Mai 21 10:42 /etc/univention/ssl/ucsCA/index.txt.attr 1050716 0 lrwxrwxrwx 1 root root 6 Mai 21 10:42 /etc/univention/ssl/ucsCA/certs/caae961c.0 -> 02.pem 1050775 8 -rw-r--r-- 1 root root 5463 Mai 21 10:42 /etc/univention/ssl/ucsCA/certs/02.pem 1050771 4 -rw-r--r-- 1 root root 3 Mai 21 10:42 /etc/univention/ssl/ucsCA/serial # find /etc/univention/ssl -not -group "DC Backup Hosts" -exec chgrp -v -h "DC Backup Hosts" {} + # univention-certificate new -name foo.$(dnsdomainname). -days 1 # find /etc/univention/ssl -not -group "DC Backup Hosts" -ls 1050703 4 -rw-r--r-- 1 root root 389 Jun 7 13:26 /etc/univention/ssl/ucsCA/index.txt 1050704 4 -rw-r--r-- 1 root root 20 Jun 7 13:26 /etc/univention/ssl/ucsCA/index.txt.attr 1050730 0 lrwxrwxrwx 1 root root 6 Jun 7 13:26 /etc/univention/ssl/ucsCA/certs/615b3e80.0 -> 03.pem 1050745 8 -rw-r--r-- 1 root root 5441 Jun 7 13:26 /etc/univention/ssl/ucsCA/certs/03.pem 1050701 4 -rw-r--r-- 1 root root 3 Jun 7 13:26 /etc/univention/ssl/ucsCA/serial All files should belong to group `DC Backup Hosts` for `/usr/share/univention-ssl/ssl-sync` to work correctly on Backups. FYI: <https://help.univention.com/t/renewing-the-complete-ssl-certificate-chain/36> is wrong as it gives some files to "DC Slave Hosts".
(In reply to Philipp Hahn from comment #2) > Easy to reproduce as you have to run `univention-certificate` as user `root`: > > # find /etc/univention/ssl -not -group "DC Backup Hosts" -ls > 1050772 4 -rw-r--r-- 1 root root 260 Mai 21 10:42 > /etc/univention/ssl/ucsCA/index.txt > 1050720 4 -rw-r--r-- 1 root DC Slave Hosts 2049 Mai 21 > 10:39 /etc/univention/ssl/ucsCA/CAcert.pem > 1050773 4 -rw-r--r-- 1 root root 20 Mai 21 > 10:42 /etc/univention/ssl/ucsCA/index.txt.attr > 1050716 0 lrwxrwxrwx 1 root root 6 Mai 21 > 10:42 /etc/univention/ssl/ucsCA/certs/caae961c.0 -> 02.pem > 1050775 8 -rw-r--r-- 1 root root 5463 Mai 21 > 10:42 /etc/univention/ssl/ucsCA/certs/02.pem > 1050771 4 -rw-r--r-- 1 root root 3 Mai 21 > 10:42 /etc/univention/ssl/ucsCA/serial > # find /etc/univention/ssl -not -group "DC Backup Hosts" -exec chgrp -v -h > "DC Backup Hosts" {} + > # univention-certificate new -name foo.$(dnsdomainname). -days 1 > # find /etc/univention/ssl -not -group "DC Backup Hosts" -ls > 1050703 4 -rw-r--r-- 1 root root 389 Jun 7 13:26 > /etc/univention/ssl/ucsCA/index.txt > 1050704 4 -rw-r--r-- 1 root root 20 Jun 7 13:26 > /etc/univention/ssl/ucsCA/index.txt.attr > 1050730 0 lrwxrwxrwx 1 root root 6 Jun 7 13:26 > /etc/univention/ssl/ucsCA/certs/615b3e80.0 -> 03.pem > 1050745 8 -rw-r--r-- 1 root root 5441 Jun 7 13:26 > /etc/univention/ssl/ucsCA/certs/03.pem > 1050701 4 -rw-r--r-- 1 root root 3 Jun 7 13:26 > /etc/univention/ssl/ucsCA/serial > > All files should belong to group `DC Backup Hosts` for > `/usr/share/univention-ssl/ssl-sync` to work correctly on Backups. > > FYI: > <https://help.univention.com/t/renewing-the-complete-ssl-certificate-chain/ > 36> is wrong as it gives some files to "DC Slave Hosts". Came across this remark by coincidence, so I changed it in the articles to 'DC Backup Hosts'. This can be done by any staff member ;-)