Comment 1 Janek Walkenhorst 2014-02-07 17:16:12 CET

See also Bug #34082

Comment 2 Stefan Gohmann 2014-10-22 11:32:14 CEST

Please check if a test case is possible.

Comment 3 Ammar Najjar 2014-11-05 11:30:44 CET

Created attachment 6303 [details]
permission dicts for /etc/univention/ssl directory

Comment 4 Ammar Najjar 2014-11-05 11:31:18 CET

A test case is possible to produce, but still to check if the permissions are correct, it is needed to set a rule for each directory/file in the directory tree of /etc/univention/ssl.
A new script is added to 00_base with the name "101_permissions_after_renew_certificate_chain" with the basic steps needed to test this case.
In the attached file "permission.dicts" I put two cases where the script is run and produced a dictionary containing all files and their permissions in the format declared on the top of the attachment. Please review and advise.

Comment 5 Ammar Najjar 2014-11-11 10:25:17 CET

A new script is created with the name "101_permissions_after_renew_ssl_certificate" to check the read permissions for all files under "/etc/univention/ssl" before and after ssl certificate renewal.
Including:
 1- DC Backup Hosts should be able to read all files.
 2- Every host should be able to read its own certificate files.
 3- All users should be able to read only "/etc/univention/ssl/ucsCA/CAcert.pem",  serial and index files.

This script fails if any of the above was not met, see Bug #36557

Comment 6 Ammar Najjar 2014-11-12 12:21:11 CET

New tests added to include checking the write permissions for:

1- Group "DC Backup Hosts" should not have write access to any file.
( this fails due to Bug #34082, and the lines in the script are commented until that bug is closed )
2- Others should not have write access to any file.

Comment 7 Sönke Schwardt-Krummrich 2014-11-20 11:59:21 CET

Please skip /etc/univention/ssl/unassigned-hostname.unassigned-domain/* in ucs-test for UCS 3.2-4 and UCS 4.0-0.

Comment 8 Ammar Najjar 2014-11-20 12:39:48 CET

(In reply to Sönke Schwardt-Krummrich from comment #7)
> Please skip /etc/univention/ssl/unassigned-hostname.unassigned-domain/* in
> ucs-test for UCS 3.2-4 and UCS 4.0-0.

Done.

Comment 9 Sönke Schwardt-Krummrich 2014-12-08 09:21:15 CET

Please disable this test until bug 36904 is fixed.

Comment 10 Ammar Najjar 2014-12-08 09:52:53 CET

(In reply to Sönke Schwardt-Krummrich from comment #9)
> Please disable this test until bug 36904 is fixed.

Done.

Comment 11 Philipp Hahn 2015-01-09 13:13:52 CET

Jenkins regression: 01_base.101_permissions_after_renew_ssl_certificate @ DC Slave
> 'openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -out /etc/univention/ssl/ucsCA/NewCAcert.pem -days 1000 -passin file://etc/univention/ssl/password -signkey /etc/univention/ssl/ucsCA/private/CAkey.pem'
> Can't open file //etc/univention/ssl/password

Only the DC Master and DC Backup have a complete /etc/univention/ssl/; all other system roles only have their and the CAs certificate. Accessing the "password" file there will never work.

Comment 12 Ammar Najjar 2015-01-12 12:40:20 CET

(In reply to Philipp Hahn from comment #11)
> Jenkins regression: 01_base.101_permissions_after_renew_ssl_certificate @ DC
> Slave
> > 'openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -out /etc/univention/ssl/ucsCA/NewCAcert.pem -days 1000 -passin file://etc/univention/ssl/password -signkey /etc/univention/ssl/ucsCA/private/CAkey.pem'
> > Can't open file //etc/univention/ssl/password
> 
> Only the DC Master and DC Backup have a complete /etc/univention/ssl/; all
> other system roles only have their and the CAs certificate. Accessing the
> "password" file there will never work.

The mentioned test script is restricted to run on domaincontroller_master only, and a new script "101_initial_ssl_certificate_permissions" is written for newly opened bug #37520 to cover checking the initial permissions on all roles.

Comment 13 Stefan Gohmann 2016-10-12 07:48:21 CEST

For this bug is no separate QA needed.