Bug 34081

Summary: Wrong permissions after renewing complete certificate chain
Product: UCS Test Reporter: Janek Walkenhorst <walkenhorst>
Component: SSLAssignee: Ammar Najjar <najjar>
Status: CLOSED FIXED QA Contact:
Severity: normal    
Priority: P5 CC: gohmann, grandjean, hahn, markus.daehlmann, schwardt
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Linux   
What kind of report is it?: Development Internal What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 31941, 34082, 36557, 36904    
Bug Blocks: 34080    
Attachments: permission dicts for /etc/univention/ssl directory

Description Janek Walkenhorst univentionstaff 2014-02-07 17:10:13 CET 
The permissions for /etc/univention/ssl and subfiles should be checked before and after a certificate chain renewal.

+++ This bug was initially created as a clone of Bug #31941 +++
Comment 1 Janek Walkenhorst univentionstaff 2014-02-07 17:16:12 CET 
See also Bug #34082
Comment 2 Stefan Gohmann univentionstaff 2014-10-22 11:32:14 CEST 
Please check if a test case is possible.
Comment 3 Ammar Najjar univentionstaff 2014-11-05 11:30:44 CET 
Created attachment 6303 [details]
permission dicts for /etc/univention/ssl directory
Comment 4 Ammar Najjar univentionstaff 2014-11-05 11:31:18 CET 
A test case is possible to produce, but still to check if the permissions are correct, it is needed to set a rule for each directory/file in the directory tree of /etc/univention/ssl.
A new script is added to 00_base with the name "101_permissions_after_renew_certificate_chain" with the basic steps needed to test this case.
In the attached file "permission.dicts" I put two cases where the script is run and produced a dictionary containing all files and their permissions in the format declared on the top of the attachment. Please review and advise.
Comment 5 Ammar Najjar univentionstaff 2014-11-11 10:25:17 CET 
A new script is created with the name "101_permissions_after_renew_ssl_certificate" to check the read permissions for all files under "/etc/univention/ssl" before and after ssl certificate renewal.
Including:
 1- DC Backup Hosts should be able to read all files.
 2- Every host should be able to read its own certificate files.
 3- All users should be able to read only "/etc/univention/ssl/ucsCA/CAcert.pem",  serial and index files.

This script fails if any of the above was not met, see Bug #36557
Comment 6 Ammar Najjar univentionstaff 2014-11-12 12:21:11 CET 
New tests added to include checking the write permissions for:

1- Group "DC Backup Hosts" should not have write access to any file.
( this fails due to Bug #34082, and the lines in the script are commented until that bug is closed )
2- Others should not have write access to any file.
Comment 7 Sönke Schwardt-Krummrich univentionstaff 2014-11-20 11:59:21 CET 
Please skip /etc/univention/ssl/unassigned-hostname.unassigned-domain/* in ucs-test for UCS 3.2-4 and UCS 4.0-0.
Comment 8 Ammar Najjar univentionstaff 2014-11-20 12:39:48 CET 
(In reply to Sönke Schwardt-Krummrich from comment #7)
> Please skip /etc/univention/ssl/unassigned-hostname.unassigned-domain/* in
> ucs-test for UCS 3.2-4 and UCS 4.0-0.

Done.
Comment 9 Sönke Schwardt-Krummrich univentionstaff 2014-12-08 09:21:15 CET 
Please disable this test until bug 36904 is fixed.
Comment 10 Ammar Najjar univentionstaff 2014-12-08 09:52:53 CET 
(In reply to Sönke Schwardt-Krummrich from comment #9)
> Please disable this test until bug 36904 is fixed.

Done.
Comment 11 Philipp Hahn univentionstaff 2015-01-09 13:13:52 CET 
Jenkins regression: 01_base.101_permissions_after_renew_ssl_certificate @ DC Slave
> 'openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -out /etc/univention/ssl/ucsCA/NewCAcert.pem -days 1000 -passin file://etc/univention/ssl/password -signkey /etc/univention/ssl/ucsCA/private/CAkey.pem'
> Can't open file //etc/univention/ssl/password

Only the DC Master and DC Backup have a complete /etc/univention/ssl/; all other system roles only have their and the CAs certificate. Accessing the "password" file there will never work.
Comment 12 Ammar Najjar univentionstaff 2015-01-12 12:40:20 CET 
(In reply to Philipp Hahn from comment #11)
> Jenkins regression: 01_base.101_permissions_after_renew_ssl_certificate @ DC
> Slave
> > 'openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -out /etc/univention/ssl/ucsCA/NewCAcert.pem -days 1000 -passin file://etc/univention/ssl/password -signkey /etc/univention/ssl/ucsCA/private/CAkey.pem'
> > Can't open file //etc/univention/ssl/password
> 
> Only the DC Master and DC Backup have a complete /etc/univention/ssl/; all
> other system roles only have their and the CAs certificate. Accessing the
> "password" file there will never work.

The mentioned test script is restricted to run on domaincontroller_master only, and a new script "101_initial_ssl_certificate_permissions" is written for newly opened bug #37520 to cover checking the initial permissions on all roles.
Comment 13 Stefan Gohmann univentionstaff 2016-10-12 07:48:21 CEST 
For this bug is no separate QA needed.