public inbox for
 help / color / mirror / Atom feed
From: ASSI <>
Subject: Re: Resend: ca-certificates postinstall permission denied error
Date: Fri, 26 Aug 2022 08:28:59 +0200	[thread overview]
Message-ID: <877d2vcyc4.fsf@Otto.invalid> (raw)
In-Reply-To: <> (Shaddy Baddah's message of "Fri, 26 Aug 2022 13:22:22 +1000")

Shaddy Baddah writes:
> Getting consistent permission denied errors on postinstall of
> ca-certificate.
> It appears to be oversight, out of a well-intentioned attempt to
> protect script generated reference files.

This is caused by p11-kit removing write permissions even for the user
from the hash directory when it is finished.  This went unnoticed
for essentially forever (the commit doing this is over 10 years old),
most likely since an admin on Windows will be able to write a new
directory entry anyway by way of SeRestorePrivilege and similarly root
on UNIX system can still create new files in such directories (unless a
suitably restricted SELinux policy is active).

> I've experienced this on two installs, both where I run setup exe with
> -B, no privelege elevation). Both installs have had an manual
> manipulation of the directory, or its parents up to /etc.

See above.  And since it's p11-kit doing this, just patching up the
postinstall script to change permissions won't do, as update-ca-trust
will run p11-kit by itself before it tries to create the symlink.

Can you try if these patches fiy your issue (if you havent installed
ca-certificates-letsencrypt then obviously the second one will not

--8<---------------cut here---------------start------------->8---
--- /usr/bin/update-ca-trust.orig
+++ /usr/bin/update-ca-trust
@@ -23,9 +23,12 @@
 # Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
 # by GnuTLS)
 /usr/bin/p11-kit extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth $DEST/pem/directory-hash
+# p11-kit removes write permission to the directory
+chmod u+w $DEST/pem/directory-hash
 # Debian compatibility: their /etc/ssl/certs has this bundle
 /usr/bin/ln -s ../tls-ca-bundle.pem $DEST/pem/directory-hash/ca-certificates.crt
 # Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
 # since
 /usr/bin/ln -s ../tls-ca-bundle.pem $DEST/pem/directory-hash/ca-bundle.crt
+chmod a-w $DEST/pem/directory-hash
--8<---------------cut here---------------end--------------->8---

--8<---------------cut here---------------start------------->8---
--- /etc/postinstall/
+++ /mnt/cygwin32/etc/postinstall/
@@ -1,3 +1,4 @@
+chmod u+w /etc/pki/ca-trust/extracted/pem/directory-hash
 /usr/bin/ln -s /usr/share/pki/letsencrypt/isrg-intermediate-r3.pem /usr/share/pki/ca-trust-source/anchors/
 /usr/bin/ln -s /usr/share/pki/letsencrypt/trustid-root-x3.pem /usr/share/pki/ca-trust-source/blacklist
--8<---------------cut here---------------end--------------->8---

+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Factory and User Sound Singles for Waldorf Q+, Q and microQ:

  parent reply	other threads:[~2022-08-26  6:29 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <>
2022-08-26  3:22 ` Shaddy Baddah
2022-08-26  4:21   ` minor correction: " Shaddy Baddah
2022-08-26  6:28   ` ASSI [this message]
2022-08-29  9:36     ` Markus Hansmair

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=877d2vcyc4.fsf@Otto.invalid \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).