First Last Prev Next    This bug is not in your last search results.
Bug 32988 - univention-certificate - too restrictive permissions for ssl-sync
univention-certificate - too restrictive permissions for ssl-sync
Status: RESOLVED DUPLICATE of bug 31941
Product: UCS
Classification: Unclassified
Component: SSL
UCS 3.1
Other Linux
: P5 normal (vote)
: UCS 3.2-x
Assigned To: Bugzilla Mailingliste
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-28 12:43 CET by Michael Grandjean
Modified: 2014-01-17 08:02 CET (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2013-10-28 12:43:02 CET 
univention-usercert creates files with the following permissions (600):

-rw------- 1 root DC Backup Hosts 4583 28. Okt 12:18 cert.pem
-rw------- 1 root DC Backup Hosts 3264 28. Okt 12:18 openssl.cnf
-rw------- 1 root DC Backup Hosts  887 28. Okt 12:18 private.key
-rw------- 1 root DC Backup Hosts  826 28. Okt 12:18 req.pem

This is too restrictive for the cronjob "univention-ssl" that copies /etc/univention/ssl/ from DC Master to DC Backup(s):

rsync: send_files failed to open "/etc/univention/ssl/TestCert/cert.pem": Permission denied (13)
rsync: send_files failed to open "/etc/univention/ssl/TestCert/openssl.cnf": Permission denied (13)
rsync: send_files failed to open "/etc/univention/ssl/TestCert/private.key": Permission denied (13)
rsync: send_files failed to open "/etc/univention/ssl/TestCert/req.pem": Permission denied (13)

The group "DC Backup Hosts" needs at least read permission to the files.

In a customer scenario I have also seen root:root and root:Domain Admins as owner:group.
Comment 1 Michael Grandjean univentionstaff 2013-10-28 14:03:25 CET 
(In reply to Michael Grandjean from comment #0)
> univention-usercert creates files with the following permissions (600):

I mean univention-certificate, not -usercert. My bad.
Comment 2 Stefan Gohmann univentionstaff 2014-01-17 08:02:08 CET 
Should be fixed with Bug #31941.

*** This bug has been marked as a duplicate of bug 31941 ***
First Last Prev Next    This bug is not in your last search results.