Univention Bugzilla – Bug 32988
univention-certificate - too restrictive permissions for ssl-sync
Last modified: 2014-01-17 08:02:08 CET
univention-usercert creates files with the following permissions (600): -rw------- 1 root DC Backup Hosts 4583 28. Okt 12:18 cert.pem -rw------- 1 root DC Backup Hosts 3264 28. Okt 12:18 openssl.cnf -rw------- 1 root DC Backup Hosts 887 28. Okt 12:18 private.key -rw------- 1 root DC Backup Hosts 826 28. Okt 12:18 req.pem This is too restrictive for the cronjob "univention-ssl" that copies /etc/univention/ssl/ from DC Master to DC Backup(s): rsync: send_files failed to open "/etc/univention/ssl/TestCert/cert.pem": Permission denied (13) rsync: send_files failed to open "/etc/univention/ssl/TestCert/openssl.cnf": Permission denied (13) rsync: send_files failed to open "/etc/univention/ssl/TestCert/private.key": Permission denied (13) rsync: send_files failed to open "/etc/univention/ssl/TestCert/req.pem": Permission denied (13) The group "DC Backup Hosts" needs at least read permission to the files. In a customer scenario I have also seen root:root and root:Domain Admins as owner:group.
(In reply to Michael Grandjean from comment #0) > univention-usercert creates files with the following permissions (600): I mean univention-certificate, not -usercert. My bad.
Should be fixed with Bug #31941. *** This bug has been marked as a duplicate of bug 31941 ***