First Last Prev Next    This bug is not in your last search results.
Bug 50807 - wrong permissions under /etc/univention/ssl/ucsCA/
wrong permissions under /etc/univention/ssl/ucsCA/
Status: NEW
Product: UCS
Classification: Unclassified
Component: SSL
UCS 4.4
All All
: P3 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-02-10 17:29 CET by Rob Kruit
Modified: 2024-02-26 09:18 CET (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.057
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): bitesize
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Rob Kruit 2020-02-10 17:29:09 CET 
Creating a computer account under devices -> computers results in wrong permissions under /etc/univention/ssl/ causing them not to sync to backup DC's.

Ownership is changed to root:root and -rw-r-----

The system diagnostics tool doesn't show any errors regarding file permissions but will eventually start showing errors about missing certificates on the backup dc's


Logging in /var/log/univention/ssl-sync.log shows:

rsync: send_files failed to open "/etc/univention/ssl/ucsCA/index.txt": Permission denied (13)
rsync: send_files failed to open "/etc/univention/ssl/ucsCA/index.txt.attr": Permission denied (13)
rsync: send_files failed to open "/etc/univention/ssl/ucsCA/index.txt.attr.old": Permission denied (13)
rsync: send_files failed to open "/etc/univention/ssl/ucsCA/index.txt.old": Permission denied (13)
rsync: send_files failed to open "/etc/univention/ssl/ucsCA/serial": Permission denied (13)
rsync: send_files failed to open "/etc/univention/ssl/ucsCA/serial.old": Permission denied (13)
rsync: send_files failed to open "/etc/univention/ssl/ucsCA/certs/06.pem": Permission denied (13)
rsync: send_files failed to open "/etc/univention/ssl/ucsCA/certs/07.pem": Permission denied (13)
rsync: send_files failed to open "/etc/univention/ssl/ucsCA/certs/08.pem": Permission denied (13)
rsync: send_files failed to open "/etc/univention/ssl/ucsCA/certs/09.pem": Permission denied (13)
rsync: send_files failed to open "/etc/univention/ssl/ucsCA/certs/0B.pem": Permission denied (13)
rsync: send_files failed to open "/etc/univention/ssl/ucsCA/certs/0C.pem": Permission denied (13)
rsync: send_files failed to open "/etc/univention/ssl/ucsCA/certs/0D.pem": Permission denied (13)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1668) [generator=3.1.2]
Could not chdir to home directory /dev/null: Not a directory

Manually changing the permissions to the correct values will resolve this issue. However, creating a now computer account will reintroduce this issue.
Comment 1 Ingo Steuwer univentionstaff 2020-02-13 15:37:35 CET 
I can't fully reproduce this. In my environment (UCS 4.4-3 Errata 443) I see the following:

- the access rights for these files (0*.pem) are readable for the DC Backup group, so the sync to a DC Backup works
- the group is not set to "DC Backup Hosts", this should be improved
- the access rights aren't touched if hosts are created in LDAP


I assume that there is "something additional" on the system where this Bug as occured.

btw: I remove all the flags, those are meant to be set by a Univention employee.
Comment 2 Philipp Hahn univentionstaff 2022-06-07 13:32:36 CEST 
Easy to reproduce as you have to run `univention-certificate` as user `root`:

# find /etc/univention/ssl -not -group "DC Backup Hosts" -ls
  1050772      4 -rw-r--r--   1 root     root          260 Mai 21 10:42 /etc/univention/ssl/ucsCA/index.txt
  1050720      4 -rw-r--r--   1 root     DC Slave Hosts     2049 Mai 21 10:39 /etc/univention/ssl/ucsCA/CAcert.pem
  1050773      4 -rw-r--r--   1 root     root                 20 Mai 21 10:42 /etc/univention/ssl/ucsCA/index.txt.attr
  1050716      0 lrwxrwxrwx   1 root     root                  6 Mai 21 10:42 /etc/univention/ssl/ucsCA/certs/caae961c.0 -> 02.pem
  1050775      8 -rw-r--r--   1 root     root               5463 Mai 21 10:42 /etc/univention/ssl/ucsCA/certs/02.pem
  1050771      4 -rw-r--r--   1 root     root                  3 Mai 21 10:42 /etc/univention/ssl/ucsCA/serial
# find /etc/univention/ssl -not -group "DC Backup Hosts" -exec chgrp -v -h "DC Backup Hosts" {} +
# univention-certificate new -name foo.$(dnsdomainname). -days 1
# find /etc/univention/ssl -not -group "DC Backup Hosts" -ls
  1050703      4 -rw-r--r--   1 root     root          389 Jun  7 13:26 /etc/univention/ssl/ucsCA/index.txt
  1050704      4 -rw-r--r--   1 root     root           20 Jun  7 13:26 /etc/univention/ssl/ucsCA/index.txt.attr
  1050730      0 lrwxrwxrwx   1 root     root            6 Jun  7 13:26 /etc/univention/ssl/ucsCA/certs/615b3e80.0 -> 03.pem
  1050745      8 -rw-r--r--   1 root     root         5441 Jun  7 13:26 /etc/univention/ssl/ucsCA/certs/03.pem
  1050701      4 -rw-r--r--   1 root     root            3 Jun  7 13:26 /etc/univention/ssl/ucsCA/serial

All files should belong to group `DC Backup Hosts` for `/usr/share/univention-ssl/ssl-sync` to work correctly on Backups.

FYI: <https://help.univention.com/t/renewing-the-complete-ssl-certificate-chain/36> is wrong as it gives some files to "DC Slave Hosts".
Comment 3 Christina Scheinig univentionstaff 2024-02-26 09:18:52 CET 
(In reply to Philipp Hahn from comment #2)
> Easy to reproduce as you have to run `univention-certificate` as user `root`:
> 
> # find /etc/univention/ssl -not -group "DC Backup Hosts" -ls
>   1050772      4 -rw-r--r--   1 root     root          260 Mai 21 10:42
> /etc/univention/ssl/ucsCA/index.txt
>   1050720      4 -rw-r--r--   1 root     DC Slave Hosts     2049 Mai 21
> 10:39 /etc/univention/ssl/ucsCA/CAcert.pem
>   1050773      4 -rw-r--r--   1 root     root                 20 Mai 21
> 10:42 /etc/univention/ssl/ucsCA/index.txt.attr
>   1050716      0 lrwxrwxrwx   1 root     root                  6 Mai 21
> 10:42 /etc/univention/ssl/ucsCA/certs/caae961c.0 -> 02.pem
>   1050775      8 -rw-r--r--   1 root     root               5463 Mai 21
> 10:42 /etc/univention/ssl/ucsCA/certs/02.pem
>   1050771      4 -rw-r--r--   1 root     root                  3 Mai 21
> 10:42 /etc/univention/ssl/ucsCA/serial
> # find /etc/univention/ssl -not -group "DC Backup Hosts" -exec chgrp -v -h
> "DC Backup Hosts" {} +
> # univention-certificate new -name foo.$(dnsdomainname). -days 1
> # find /etc/univention/ssl -not -group "DC Backup Hosts" -ls
>   1050703      4 -rw-r--r--   1 root     root          389 Jun  7 13:26
> /etc/univention/ssl/ucsCA/index.txt
>   1050704      4 -rw-r--r--   1 root     root           20 Jun  7 13:26
> /etc/univention/ssl/ucsCA/index.txt.attr
>   1050730      0 lrwxrwxrwx   1 root     root            6 Jun  7 13:26
> /etc/univention/ssl/ucsCA/certs/615b3e80.0 -> 03.pem
>   1050745      8 -rw-r--r--   1 root     root         5441 Jun  7 13:26
> /etc/univention/ssl/ucsCA/certs/03.pem
>   1050701      4 -rw-r--r--   1 root     root            3 Jun  7 13:26
> /etc/univention/ssl/ucsCA/serial
> 
> All files should belong to group `DC Backup Hosts` for
> `/usr/share/univention-ssl/ssl-sync` to work correctly on Backups.
> 
> FYI:
> <https://help.univention.com/t/renewing-the-complete-ssl-certificate-chain/
> 36> is wrong as it gives some files to "DC Slave Hosts".

Came across this remark by coincidence, so I changed it in the articles to 'DC Backup Hosts'.
This can be done by any staff member ;-)
First Last Prev Next    This bug is not in your last search results.