Re: Resend: ca-certificates postinstall permission denied error

[ASSI <Stromeko@nexgo.de>]

Shaddy Baddah writes:
> Getting consistent permission denied errors on postinstall of
> ca-certificate.
>
> It appears to be oversight, out of a well-intentioned attempt to
> protect script generated reference files.

This is caused by p11-kit removing write permissions even for the user
from the hash directory when it is finished.  This went unnoticed
for essentially forever (the commit doing this is over 10 years old),
most likely since an admin on Windows will be able to write a new
directory entry anyway by way of SeRestorePrivilege and similarly root
on UNIX system can still create new files in such directories (unless a
suitably restricted SELinux policy is active).

> I've experienced this on two installs, both where I run setup exe with
> -B, no privelege elevation). Both installs have had an manual
> manipulation of the directory, or its parents up to /etc.

See above.  And since it's p11-kit doing this, just patching up the
postinstall script to change permissions won't do, as update-ca-trust
will run p11-kit by itself before it tries to create the symlink.

Can you try if these patches fiy your issue (if you havent installed
ca-certificates-letsencrypt then obviously the second one will not
apply)?

--8<---------------cut here---------------start------------->8---
--- /usr/bin/update-ca-trust.orig
+++ /usr/bin/update-ca-trust
@@ -23,9 +23,12 @@
 # Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
 # by GnuTLS)
 /usr/bin/p11-kit extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth $DEST/pem/directory-hash
+# p11-kit removes write permission to the directory
+chmod u+w $DEST/pem/directory-hash
 # Debian compatibility: their /etc/ssl/certs has this bundle
 /usr/bin/ln -s ../tls-ca-bundle.pem $DEST/pem/directory-hash/ca-certificates.crt
 # Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
 # since https://bugzilla.redhat.com/show_bug.cgi?id=572725
 /usr/bin/ln -s ../tls-ca-bundle.pem $DEST/pem/directory-hash/ca-bundle.crt
+chmod a-w $DEST/pem/directory-hash
--8<---------------cut here---------------end--------------->8---

--8<---------------cut here---------------start------------->8---
--- /etc/postinstall/ca-certificates-letsencrypt.sh.orig
+++ /mnt/cygwin32/etc/postinstall/ca-certificates-letsencrypt.sh
@@ -1,3 +1,4 @@
+chmod u+w /etc/pki/ca-trust/extracted/pem/directory-hash
 /usr/bin/ln -s /usr/share/pki/letsencrypt/isrg-intermediate-r3.pem /usr/share/pki/ca-trust-source/anchors/
 /usr/bin/ln -s /usr/share/pki/letsencrypt/trustid-root-x3.pem /usr/share/pki/ca-trust-source/blacklist
 /usr/bin/update-ca-trust
--8<---------------cut here---------------end--------------->8---



Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Factory and User Sound Singles for Waldorf Q+, Q and microQ:
http://Synth.Stromeko.net/Downloads.html#WaldorfSounds