Univention Bugzilla – Full Text Bug Listing |
Summary: | Wrong permissions after renewing complete certificate chain | ||
---|---|---|---|
Product: | UCS Test | Reporter: | Janek Walkenhorst <walkenhorst> |
Component: | SSL | Assignee: | Ammar Najjar <najjar> |
Status: | CLOSED FIXED | QA Contact: | |
Severity: | normal | ||
Priority: | P5 | CC: | gohmann, grandjean, hahn, markus.daehlmann, schwardt |
Version: | unspecified | ||
Target Milestone: | --- | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Development Internal | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | 31941, 34082, 36557, 36904 | ||
Bug Blocks: | 34080 | ||
Attachments: | permission dicts for /etc/univention/ssl directory |
Description
Janek Walkenhorst
2014-02-07 17:10:13 CET
See also Bug #34082 Please check if a test case is possible. Created attachment 6303 [details]
permission dicts for /etc/univention/ssl directory
A test case is possible to produce, but still to check if the permissions are correct, it is needed to set a rule for each directory/file in the directory tree of /etc/univention/ssl. A new script is added to 00_base with the name "101_permissions_after_renew_certificate_chain" with the basic steps needed to test this case. In the attached file "permission.dicts" I put two cases where the script is run and produced a dictionary containing all files and their permissions in the format declared on the top of the attachment. Please review and advise. A new script is created with the name "101_permissions_after_renew_ssl_certificate" to check the read permissions for all files under "/etc/univention/ssl" before and after ssl certificate renewal. Including: 1- DC Backup Hosts should be able to read all files. 2- Every host should be able to read its own certificate files. 3- All users should be able to read only "/etc/univention/ssl/ucsCA/CAcert.pem", serial and index files. This script fails if any of the above was not met, see Bug #36557 New tests added to include checking the write permissions for: 1- Group "DC Backup Hosts" should not have write access to any file. ( this fails due to Bug #34082, and the lines in the script are commented until that bug is closed ) 2- Others should not have write access to any file. Please skip /etc/univention/ssl/unassigned-hostname.unassigned-domain/* in ucs-test for UCS 3.2-4 and UCS 4.0-0. (In reply to Sönke Schwardt-Krummrich from comment #7) > Please skip /etc/univention/ssl/unassigned-hostname.unassigned-domain/* in > ucs-test for UCS 3.2-4 and UCS 4.0-0. Done. Please disable this test until bug 36904 is fixed. (In reply to Sönke Schwardt-Krummrich from comment #9) > Please disable this test until bug 36904 is fixed. Done. Jenkins regression: 01_base.101_permissions_after_renew_ssl_certificate @ DC Slave
> 'openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -out /etc/univention/ssl/ucsCA/NewCAcert.pem -days 1000 -passin file://etc/univention/ssl/password -signkey /etc/univention/ssl/ucsCA/private/CAkey.pem'
> Can't open file //etc/univention/ssl/password
Only the DC Master and DC Backup have a complete /etc/univention/ssl/; all other system roles only have their and the CAs certificate. Accessing the "password" file there will never work.
(In reply to Philipp Hahn from comment #11) > Jenkins regression: 01_base.101_permissions_after_renew_ssl_certificate @ DC > Slave > > 'openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -out /etc/univention/ssl/ucsCA/NewCAcert.pem -days 1000 -passin file://etc/univention/ssl/password -signkey /etc/univention/ssl/ucsCA/private/CAkey.pem' > > Can't open file //etc/univention/ssl/password > > Only the DC Master and DC Backup have a complete /etc/univention/ssl/; all > other system roles only have their and the CAs certificate. Accessing the > "password" file there will never work. The mentioned test script is restricted to run on domaincontroller_master only, and a new script "101_initial_ssl_certificate_permissions" is written for newly opened bug #37520 to cover checking the initial permissions on all roles. For this bug is no separate QA needed. |