From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mr6.vodafonemail.de (mr6.vodafonemail.de [145.253.228.166]) by sourceware.org (Postfix) with ESMTPS id D24C63858D39 for ; Fri, 26 Aug 2022 06:29:11 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org D24C63858D39 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=nexgo.de Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=nexgo.de Received: from smtp.vodafone.de (unknown [10.0.0.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by mr6.vodafonemail.de (Postfix) with ESMTPS id 4MDVKd5K16z1y4c for ; Fri, 26 Aug 2022 06:29:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nexgo.de; s=vfde-smtpout-mb-15sep; t=1661495349; bh=1ZUT9c7lEHLwIJoPLkP9Nm5JW8pXr+kpXwFJo33BRE8=; h=From:To:Subject:References:Date:In-Reply-To:Message-ID:User-Agent: Content-Type:From; b=WPaKo+NxKUCrYytfL9DvDFpUYsdpJjbe+tJgnrARyOS1d9nEsapGPognLHorhI7uD aYgt3e9H4M/6ZLjIbCta2imM9EirRnDvU+L78u5B3O2H09zcyvR/k0pFesCtvWpqR6 d0YOM1Wwiq8O2dzcVNmBvYNSBgzuIDG1E58Vy/0k= Received: from Otto (p57b9d3f5.dip0.t-ipconnect.de [87.185.211.245]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp.vodafone.de (Postfix) with ESMTPSA id 4MDVKd1NHfz9wwZ for ; Fri, 26 Aug 2022 06:29:06 +0000 (UTC) From: ASSI To: cygwin@cygwin.com Subject: Re: Resend: ca-certificates postinstall permission denied error References: <0deb131e-26bd-7180-b23f-caf03387a5ea@aussiebb.com.au> <310e03a1-943c-4e37-6130-197742917a57@aussiebb.com.au> Date: Fri, 26 Aug 2022 08:28:59 +0200 In-Reply-To: <310e03a1-943c-4e37-6130-197742917a57@aussiebb.com.au> (Shaddy Baddah's message of "Fri, 26 Aug 2022 13:22:22 +1000") Message-ID: <877d2vcyc4.fsf@Otto.invalid> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-purgate-type: clean X-purgate: clean X-purgate-size: 2994 X-purgate-ID: 155817::1661495349-F30A5215-3222A225/0/0 X-Spam-Status: No, score=-3031.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Shaddy Baddah writes: > Getting consistent permission denied errors on postinstall of > ca-certificate. > > It appears to be oversight, out of a well-intentioned attempt to > protect script generated reference files. This is caused by p11-kit removing write permissions even for the user from the hash directory when it is finished. This went unnoticed for essentially forever (the commit doing this is over 10 years old), most likely since an admin on Windows will be able to write a new directory entry anyway by way of SeRestorePrivilege and similarly root on UNIX system can still create new files in such directories (unless a suitably restricted SELinux policy is active). > I've experienced this on two installs, both where I run setup exe with > -B, no privelege elevation). Both installs have had an manual > manipulation of the directory, or its parents up to /etc. See above. And since it's p11-kit doing this, just patching up the postinstall script to change permissions won't do, as update-ca-trust will run p11-kit by itself before it tries to create the symlink. Can you try if these patches fiy your issue (if you havent installed ca-certificates-letsencrypt then obviously the second one will not apply)? --8<---------------cut here---------------start------------->8--- --- /usr/bin/update-ca-trust.orig +++ /usr/bin/update-ca-trust @@ -23,9 +23,12 @@ # Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and # by GnuTLS) /usr/bin/p11-kit extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth $DEST/pem/directory-hash +# p11-kit removes write permission to the directory +chmod u+w $DEST/pem/directory-hash # Debian compatibility: their /etc/ssl/certs has this bundle /usr/bin/ln -s ../tls-ca-bundle.pem $DEST/pem/directory-hash/ca-certificates.crt # Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt # since https://bugzilla.redhat.com/show_bug.cgi?id=572725 /usr/bin/ln -s ../tls-ca-bundle.pem $DEST/pem/directory-hash/ca-bundle.crt +chmod a-w $DEST/pem/directory-hash --8<---------------cut here---------------end--------------->8--- --8<---------------cut here---------------start------------->8--- --- /etc/postinstall/ca-certificates-letsencrypt.sh.orig +++ /mnt/cygwin32/etc/postinstall/ca-certificates-letsencrypt.sh @@ -1,3 +1,4 @@ +chmod u+w /etc/pki/ca-trust/extracted/pem/directory-hash /usr/bin/ln -s /usr/share/pki/letsencrypt/isrg-intermediate-r3.pem /usr/share/pki/ca-trust-source/anchors/ /usr/bin/ln -s /usr/share/pki/letsencrypt/trustid-root-x3.pem /usr/share/pki/ca-trust-source/blacklist /usr/bin/update-ca-trust --8<---------------cut here---------------end--------------->8--- Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Factory and User Sound Singles for Waldorf Q+, Q and microQ: http://Synth.Stromeko.net/Downloads.html#WaldorfSounds