Univention Bugzilla – Bug 49036
Wrong permissions for /etc/univention/ssl/$FQDN
Last modified: 2019-12-18 13:33:07 CET
After installation of UCS-4.4-0 via PXE *directory* "/etc/univention/ssl/$FQDN" has permissions 0o640 - should be 0o750. This is caused by some script doing "ln -s /etc/univention/ssl/$FQDN /etc/univention/ssl/$HOSTNAME" where ".../$HOSTNAME" already exists. This leads to *another* symblink being created inside ".../$FQDN/". When next the computer account is modified (in my case "/usr/lib/univention-install/96univention-samba4.inst") the listener module "/usr/lib/univention-directory-listener/system/gencertificate.py" runs. It uses "os.path.walk()" which does *NOT* distinguish between "regular file", "directory" and "symbolic link". It changes all referenced files to 0o640. 1. s/ln -s/ln -snf/ 2. s/os.path.walk()/os.walk()/ or +if os.path.islink(): continue+ (see <https://hutten.knut.univention.de/blog/unix-109-ln-s/>)
UCS technical training 2019-03-21/22
The diagnostic check should be checked/adjusted accordingly (it seems it already checks for 0o755): management/univention-management-console-module-diagnostic/umc/python/diagnostic/plugins/31_file_permissions.py 145 » » cf_type('/etc/univention/ssl/{}.{}'.format(host, domain), '{}$'.format(host) if is_primary else 'root', 'DC Backup Hosts' if is_dc else 'root', 0o750, must_exist=True),
(In reply to Florian Best from comment #2) > The diagnostic check should be checked/adjusted accordingly (it seems it > already checks for 0o755): NO, the check is right, do not hide the underlying problems!
(In reply to Philipp Hahn from comment #3) > (In reply to Florian Best from comment #2) > > The diagnostic check should be checked/adjusted accordingly (it seems it > > already checks for 0o755): > > NO, the check is right, do not hide the underlying problems! Yes, that's why I said that it already checks for 0o755. So if this bug occurs it will currently already be displayed in the diagnostic module and there is a button to fix it.
(In reply to Florian Best from comment #4) > (In reply to Philipp Hahn from comment #3) > > (In reply to Florian Best from comment #2) > > > The diagnostic check should be checked/adjusted accordingly (it seems it > > > already checks for 0o755): > > > > NO, the check is right, do not hide the underlying problems! > Yes, that's why I said that it already checks for 0o755. > > So if this bug occurs it will currently already be displayed in the > diagnostic module and there is a button to fix it. 1. The PXE installation should not be bad by default. 2. The is NO such button to fix it. UCS technical training 2019-05-08/09
Fixed in branch git:phahn/49036-ssl-listener [phahn/49036-ssl-listener] 25aa3895ab Bug #49193 USS: Fix ssl symlink creation base/univention-system-setup/debian/changelog | 6 ++++++ .../lib/univention-system-setup/scripts/10_basis/10hostname | 4 ++-- .../lib/univention-system-setup/scripts/10_basis/12domainname | 6 +++--- .../usr/lib/univention-system-setup/scripts/40_ssl/10ssl | 2 +- .../usr/lib/univention-system-setup/scripts/setup-join.sh | 4 ++-- doc/errata/staging/univention-system-setup.yaml | 10 ++++++++++ 6 files changed, 24 insertions(+), 8 deletions(-) [phahn/49036-ssl-listener] 89cfeeb14b Bug #49193 server: Fix ssl symlink creation base/univention-server/debian/changelog | 6 ++++++ base/univention-server/debian/univention-server-master.preinst | 2 +- doc/errata/staging/univention-server.yaml | 7 ++++--- 3 files changed, 11 insertions(+), 4 deletions(-) [phahn/49036-ssl-listener] 17ea0a7b6f Bug #49036 ssl: Changelog and YAML base/univention-ssl/debian/changelog | 6 ++++++ doc/errata/staging/univention-ssl.yaml | 12 ++++++++++++ 2 files changed, 18 insertions(+) [phahn/49036-ssl-listener] df7b33ab7a Bug #49036 ssl: Add mypy annotations. base/univention-ssl/gencertificate.py | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) [phahn/49036-ssl-listener] 04cf97d1c5 Bug #49036 ssl: Add Python DocStrings base/univention-ssl/gencertificate.py | 36 +++++++++++++++++++++++++++++++---- 1 file changed, 32 insertions(+), 4 deletions(-) [phahn/49036-ssl-listener] 81cc375f6e Bug #49036 ssl: Improve error reporting base/univention-ssl/gencertificate.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) [phahn/49036-ssl-listener] 69df7c6a8a Bug #49036 ssl: Fix cleanup tree base/univention-ssl/gencertificate.py | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) [phahn/49036-ssl-listener] a6e0ed2614 Bug #49036 ssl: Use relative path for symlink base/univention-ssl/debian/univention-ssl.postinst | 2 +- base/univention-ssl/gencertificate.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) [phahn/49036-ssl-listener] 43425c6125 Bug #49036 ssl: Fix broken symbolic links base/univention-ssl/gencertificate.py | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) QA: name="bug49036" dom="$(ucr get domainname)" lb="$(ucr get ldap/base)" fqdn="/etc/univention/ssl/$name.$dom" udm computers/memberserver create --name "$name" ln -snf "$fqdn" "$fqdn/" udm computers/memberserver modify --dn "cn=$name,$lb" --set description="$RANDOM" stat -c '%a' "$fqdn" # wrong:640 -> correct:750 PS: The last two commits fix USS and server to get rid of the broken "ln -s" without "-n" and "-f". and also convert all symbolic links to relative paths (Bug #34106)
Please correct me if I'm wrong: use case here is "only" if a DC Master is deployed by PXE
(In reply to Ingo Steuwer from comment #8) > Please correct me if I'm wrong: use case here is "only" if a DC Master is > deployed by PXE At least it happens there every month I do a UCS technical training. I don't care if there is some other way to trigger it, I want to get it fixed for at least my use-case. It is annoying enough for me to get it fixed: patch is ready, just needs QA the next BSD.
> just needs QA the next BSD. Yes, fine, that was the opinion in the discussion.
FYI: "ucs-test/00_checks/81_diagnostic_checks" regularly fails on "backup092": There are multiple code paths in UCS which create / copy / touch / modify files below /etc/univention/ssl/ and use slightly different users / groups / permissions. Also see Bug #50394
8729eb0564 Bug #49036: yaml update 9b9788cd02 Bug #49036: Merge branch 'fbest/49036-ssl-listener' into 4.4-3 Successful build Package: univention-ssl Version: 13.0.0-6A~4.4.0.201912101852 Branch: ucs_4.4-0 Scope: errata4.4-3 User: jbremer Merged the branch to 4.4-3
REOPEN: univention-system-setup has not been built
ec6f5a4533 Bug #49036: yaml update c2306b4df9 Bug #49036: Update changelog Successful build Package: univention-system-setup Version: 12.0.2-19A~4.4.0.201912111155 Branch: ucs_4.4-0 Scope: errata4.4-3 User: jbremer Sorry for that, I build univention-system-setup and updated the yaml file
hmm, still fails on https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-3/job/AutotestJoin/SambaVersion=s4,Systemrolle=backup/lastCompletedBuild/testReport/00_checks/81_diagnostic_checks/backup093/ univention-system-setup 12.0.2-19A~4.4.0.201912111155 univention-ssl 13.0.0-6A~4.4.0.201912101852
(In reply to Felix Botner from comment #15) > hmm, still fails on > https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-3/job/ > AutotestJoin/SambaVersion=s4,Systemrolle=backup/lastCompletedBuild/ > testReport/00_checks/81_diagnostic_checks/backup093/ > > univention-system-setup 12.0.2-19A~4.4.0.201912111155 > univention-ssl 13.0.0-6A~4.4.0.201912101852 Could the reason be, that the certificates are created with the old univention-system-setup version? Or is that package upgraded before the profile is activated?
(In reply to Felix Botner from comment #15) > hmm, still fails on > https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-3/job/ > AutotestJoin/SambaVersion=s4,Systemrolle=backup/lastCompletedBuild/ > testReport/00_checks/81_diagnostic_checks/backup093/ > > univention-system-setup 12.0.2-19A~4.4.0.201912111155 > univention-ssl 13.0.0-6A~4.4.0.201912101852 Please read comment 11 on why it still fails: base/univention-ssl/gencertificate.py uses 640:root:DC Backup Hosts base/univention-ssl/make-certificates.sh uses 600/700:root:DC Backup Hosts And there are cases, where the group lookup for "DC Backup Hosts" does not (yet) work and thus the files are assigned to "root" instead of "DC Backup Hosts". And if I remember correctly there is a cron job, which "fixes" the permissions. Depending on when the jobs runs relative to the join process the check either fails or succeeds.
I found the case where the permissions are set to 0775: /usr/sbin/univention-join:857 univention-ssh-rsync "$DCPWD" -az "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/*" /etc/univention/ssl/ >>/var/log/univention/join.log 2>&1
(In reply to Florian Best from comment #18) > I found the case where the permissions are set to 0775: > > /usr/sbin/univention-join:857 > univention-ssh-rsync "$DCPWD" -az > "${DCACCOUNT}@${DCNAME}:/etc/univention/ssl/*" /etc/univention/ssl/ > >>/var/log/univention/join.log 2>&1 Urgs, typo: 750. But that is the expected. The case where it is set to 770 is in: /usr/lib/univention-install/20univention-join.inst
chmod change by by: `chmod g+rwx "/etc/univention/ssl/$hostname"` in: /usr/lib/univention-install/20univention-join.inst:110 test -d "/etc/univention/ssl/$hostname" && chgrp -R "DC Backup Hosts" "/etc/univention/ssl/$hostname" && chmod g+rwx "/etc/univention/ssl/$hostname" && find "/etc/univention/ssl/$hostname/" -type f | xargs chmod g+rw
Successful build Package: univention-join Version: 11.0.1-27A~4.4.0.201912121646 Branch: ucs_4.4-0 Scope: errata4.4-3 8e0106d27f Bug #49036: update yaml 94b3d9dcf9 Bug #49036: Fix wrong permissions set in 20univention-join.inst Todo: See if the tests succeed.
There are several commits with the wrong bug number (Bug #49193) in the message: univention-system-setup (12.0.2-16) 315a9de2b628 | Bug #49193 USS: Fix ssl symlink creation univention-system-setup.yaml 315a9de2b628 | Bug #49193 USS: Fix ssl symlink creation univention-server (14.0.0-10) 60ae87b6df24 | Bug #49193 server: Fix ssl symlink creation univention-server.yaml 60ae87b6df24 | Bug #49193 server: Fix ssl symlink creation
OK: univention-server OK: univention-system-setup OK: univention-join OK: univention-ssl OK: reproduced && fixed (comment #6) OK: jenkins test for diagnose module OK: YAML's (adjusted in adc20bb65317efa730096d850fac882ca49ec8e7)
Btw: Philipp already analyzed the reason for the failing Jenkins Test in Bug #45372 comment 2
<http://errata.software-univention.de/ucs/4.4/410.html> <http://errata.software-univention.de/ucs/4.4/411.html> <http://errata.software-univention.de/ucs/4.4/412.html> <http://errata.software-univention.de/ucs/4.4/413.html>