public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed
* Resend: ca-certificates postinstall permission denied error
       [not found] <0deb131e-26bd-7180-b23f-caf03387a5ea@aussiebb.com.au>
@ 2022-08-26  3:22 ` Shaddy Baddah
  2022-08-26  4:21   ` minor correction: " Shaddy Baddah
  2022-08-26  6:28   ` Resend: " ASSI
  0 siblings, 2 replies; 4+ messages in thread
From: Shaddy Baddah @ 2022-08-26  3:22 UTC (permalink / raw)
  To: cygwin


Hi,

On 26/08/2022 1:10 pm, Shaddy Baddah wrote:
> Hi, Getting consistent permission denied errors on postinstall of <snip/>

Apologies for the rendering of the original email. Email client did
something unexpected with line breaks. I've loopback tested this
resend first.


Getting consistent permission denied errors on postinstall of
ca-certificate.

It appears to be oversight, out of a well-intentioned attempt to
protect script generated reference files.

There error as it appears in setup.log.full:

2022/08/26 11:39:07 running: e:\cygwin-x86_64\bin\bash.exe --norc 
--noprofile "/etc/postinstall/ca-certificates.sh"
/usr/bin/ln: failed to create symbolic link 
'/etc/pki/ca-trust/extracted/pem/directory-hash/ca-certificates.crt': 
Permission denied
/usr/bin/ln: failed to create symbolic link 
'/etc/pki/ca-trust/extracted/pem/directory-hash/ca-bundle.crt': 
Permission denied
2022/08/26 11:39:21 abnormal exit: exit code=1

The directory permissions are:

$ ls -ld /etc/pki/ca-trust/extracted/pem/directory-hash/
dr-xr-xr-x 1 joebloggs Domain Users 0 Aug 26 11:39 
/etc/pki/ca-trust/extracted/pem/directory-hash/

I've experienced this on two installs, both where I run setup exe with
-B, no privelege elevation). Both installs have had an manual
manipulation of the directory, or its parents up to /etc.

--
Regards,
Shaddy

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: minor correction: ca-certificates postinstall permission denied error
  2022-08-26  3:22 ` Resend: ca-certificates postinstall permission denied error Shaddy Baddah
@ 2022-08-26  4:21   ` Shaddy Baddah
  2022-08-26  6:28   ` Resend: " ASSI
  1 sibling, 0 replies; 4+ messages in thread
From: Shaddy Baddah @ 2022-08-26  4:21 UTC (permalink / raw)
  To: cygwin

Hi,

On 26/08/2022 1:22 pm, Shaddy Baddah wrote:
> -B, no privelege elevation). Both installs have had an manual
> manipulation of the directory, or its parents up to /etc.

Both installs have *not* had any manual manipulation...

-- 
Regards,
Shaddy

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Resend: ca-certificates postinstall permission denied error
  2022-08-26  3:22 ` Resend: ca-certificates postinstall permission denied error Shaddy Baddah
  2022-08-26  4:21   ` minor correction: " Shaddy Baddah
@ 2022-08-26  6:28   ` ASSI
  2022-08-29  9:36     ` Markus Hansmair
  1 sibling, 1 reply; 4+ messages in thread
From: ASSI @ 2022-08-26  6:28 UTC (permalink / raw)
  To: cygwin

Shaddy Baddah writes:
> Getting consistent permission denied errors on postinstall of
> ca-certificate.
>
> It appears to be oversight, out of a well-intentioned attempt to
> protect script generated reference files.

This is caused by p11-kit removing write permissions even for the user
from the hash directory when it is finished.  This went unnoticed
for essentially forever (the commit doing this is over 10 years old),
most likely since an admin on Windows will be able to write a new
directory entry anyway by way of SeRestorePrivilege and similarly root
on UNIX system can still create new files in such directories (unless a
suitably restricted SELinux policy is active).

> I've experienced this on two installs, both where I run setup exe with
> -B, no privelege elevation). Both installs have had an manual
> manipulation of the directory, or its parents up to /etc.

See above.  And since it's p11-kit doing this, just patching up the
postinstall script to change permissions won't do, as update-ca-trust
will run p11-kit by itself before it tries to create the symlink.

Can you try if these patches fiy your issue (if you havent installed
ca-certificates-letsencrypt then obviously the second one will not
apply)?

--8<---------------cut here---------------start------------->8---
--- /usr/bin/update-ca-trust.orig
+++ /usr/bin/update-ca-trust
@@ -23,9 +23,12 @@
 # Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
 # by GnuTLS)
 /usr/bin/p11-kit extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth $DEST/pem/directory-hash
+# p11-kit removes write permission to the directory
+chmod u+w $DEST/pem/directory-hash
 # Debian compatibility: their /etc/ssl/certs has this bundle
 /usr/bin/ln -s ../tls-ca-bundle.pem $DEST/pem/directory-hash/ca-certificates.crt
 # Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
 # since https://bugzilla.redhat.com/show_bug.cgi?id=572725
 /usr/bin/ln -s ../tls-ca-bundle.pem $DEST/pem/directory-hash/ca-bundle.crt
+chmod a-w $DEST/pem/directory-hash
--8<---------------cut here---------------end--------------->8---

--8<---------------cut here---------------start------------->8---
--- /etc/postinstall/ca-certificates-letsencrypt.sh.orig
+++ /mnt/cygwin32/etc/postinstall/ca-certificates-letsencrypt.sh
@@ -1,3 +1,4 @@
+chmod u+w /etc/pki/ca-trust/extracted/pem/directory-hash
 /usr/bin/ln -s /usr/share/pki/letsencrypt/isrg-intermediate-r3.pem /usr/share/pki/ca-trust-source/anchors/
 /usr/bin/ln -s /usr/share/pki/letsencrypt/trustid-root-x3.pem /usr/share/pki/ca-trust-source/blacklist
 /usr/bin/update-ca-trust
--8<---------------cut here---------------end--------------->8---



Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Factory and User Sound Singles for Waldorf Q+, Q and microQ:
http://Synth.Stromeko.net/Downloads.html#WaldorfSounds

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: ca-certificates postinstall permission denied error
  2022-08-26  6:28   ` Resend: " ASSI
@ 2022-08-29  9:36     ` Markus Hansmair
  0 siblings, 0 replies; 4+ messages in thread
From: Markus Hansmair @ 2022-08-29  9:36 UTC (permalink / raw)
  To: cygwin

Hello,

may I chime in...

I had the very same issue. In an enterprise environment I'm forced to do

setup --no-admin --no-desktop

Am 26.08.22 um 08:28 schrieb ASSI:
> Can you try if these patches fiy your issue (if you havent installed 
> ca-certificates-letsencrypt then obviously the second one will not 
> apply)?
> 
> [...]

I applied this patch and can confirm that the error message has gone. I 
ran the script as follows:

1. Started cmd.exe

2. set PATH=C:\<path-to-cygwin-installation>\bin;%PATH%

3. C:\<path-to-cygwin-installation>\bin\bash.exe --norc --noprofile 
"/etc/postinstall/ca-certificates.sh"

Step 3 is one line and was logged by the setup program before it 
reported "abnormal exit: exit code=1"

Sorry, I cannot tell anything about ca-certificates-letsencrypt.sh as 
the corresponding package has not been installed.

Kind regards

Markus Hansmair

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-08-29  9:36 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <0deb131e-26bd-7180-b23f-caf03387a5ea@aussiebb.com.au>
2022-08-26  3:22 ` Resend: ca-certificates postinstall permission denied error Shaddy Baddah
2022-08-26  4:21   ` minor correction: " Shaddy Baddah
2022-08-26  6:28   ` Resend: " ASSI
2022-08-29  9:36     ` Markus Hansmair

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).