| www.delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DMARC-Filter: | OpenDMARC Filter v1.4.1 sourceware.org D24C63858D39 |
| Authentication-Results: | sourceware.org; |
| dmarc=none (p=none dis=none) header.from=nexgo.de | |
| Authentication-Results: | sourceware.org; spf=pass smtp.mailfrom=nexgo.de |
| DKIM-Signature: | v=1; a=rsa-sha256; c=relaxed/relaxed; d=nexgo.de; |
| s=vfde-smtpout-mb-15sep; t=1661495349; | |
| bh=1ZUT9c7lEHLwIJoPLkP9Nm5JW8pXr+kpXwFJo33BRE8=; | |
| h=From:To:Subject:References:Date:In-Reply-To:Message-ID:User-Agent: | |
| Content-Type:From; | |
| b=WPaKo+NxKUCrYytfL9DvDFpUYsdpJjbe+tJgnrARyOS1d9nEsapGPognLHorhI7uD | |
| aYgt3e9H4M/6ZLjIbCta2imM9EirRnDvU+L78u5B3O2H09zcyvR/k0pFesCtvWpqR6 | |
| d0YOM1Wwiq8O2dzcVNmBvYNSBgzuIDG1E58Vy/0k= | |
| From: | ASSI <Stromeko AT nexgo DOT de> |
| To: | cygwin AT cygwin DOT com |
| Subject: | Re: Resend: ca-certificates postinstall permission denied error |
| References: | <0deb131e-26bd-7180-b23f-caf03387a5ea AT aussiebb DOT com DOT au> |
| <310e03a1-943c-4e37-6130-197742917a57 AT aussiebb DOT com DOT au> | |
| Date: | Fri, 26 Aug 2022 08:28:59 +0200 |
| In-Reply-To: | <310e03a1-943c-4e37-6130-197742917a57@aussiebb.com.au> (Shaddy |
| Baddah's message of "Fri, 26 Aug 2022 13:22:22 +1000") | |
| Message-ID: | <877d2vcyc4.fsf@Otto.invalid> |
| User-Agent: | Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) |
| MIME-Version: | 1.0 |
| X-purgate-type: | clean |
| X-purgate: | clean |
| X-purgate-size: | 2994 |
| X-purgate-ID: | 155817::1661495349-F30A5215-3222A225/0/0 |
| X-Spam-Status: | No, score=-3031.2 required=5.0 tests=BAYES_00, DKIM_SIGNED, |
| DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, | |
| RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS, TXREP, | |
| T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 | |
| X-Spam-Checker-Version: | SpamAssassin 3.4.6 (2021-04-09) on |
| server2.sourceware.org | |
| X-BeenThere: | cygwin AT cygwin DOT com |
| X-Mailman-Version: | 2.1.29 |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Unsubscribe: | <https://cygwin.com/mailman/options/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe> | |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <https://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| Errors-To: | cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com |
| Sender: | "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com> |
Shaddy Baddah writes: > Getting consistent permission denied errors on postinstall of > ca-certificate. > > It appears to be oversight, out of a well-intentioned attempt to > protect script generated reference files. This is caused by p11-kit removing write permissions even for the user from the hash directory when it is finished. This went unnoticed for essentially forever (the commit doing this is over 10 years old), most likely since an admin on Windows will be able to write a new directory entry anyway by way of SeRestorePrivilege and similarly root on UNIX system can still create new files in such directories (unless a suitably restricted SELinux policy is active). > I've experienced this on two installs, both where I run setup exe with > -B, no privelege elevation). Both installs have had an manual > manipulation of the directory, or its parents up to /etc. See above. And since it's p11-kit doing this, just patching up the postinstall script to change permissions won't do, as update-ca-trust will run p11-kit by itself before it tries to create the symlink. Can you try if these patches fiy your issue (if you havent installed ca-certificates-letsencrypt then obviously the second one will not apply)? --8<---------------cut here---------------start------------->8--- --- /usr/bin/update-ca-trust.orig +++ /usr/bin/update-ca-trust @@ -23,9 +23,12 @@ # Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and # by GnuTLS) /usr/bin/p11-kit extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth $DEST/pem/directory-hash +# p11-kit removes write permission to the directory +chmod u+w $DEST/pem/directory-hash # Debian compatibility: their /etc/ssl/certs has this bundle /usr/bin/ln -s ../tls-ca-bundle.pem $DEST/pem/directory-hash/ca-certificates.crt # Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt # since https://bugzilla.redhat.com/show_bug.cgi?id=572725 /usr/bin/ln -s ../tls-ca-bundle.pem $DEST/pem/directory-hash/ca-bundle.crt +chmod a-w $DEST/pem/directory-hash --8<---------------cut here---------------end--------------->8--- --8<---------------cut here---------------start------------->8--- --- /etc/postinstall/ca-certificates-letsencrypt.sh.orig +++ /mnt/cygwin32/etc/postinstall/ca-certificates-letsencrypt.sh @@ -1,3 +1,4 @@ +chmod u+w /etc/pki/ca-trust/extracted/pem/directory-hash /usr/bin/ln -s /usr/share/pki/letsencrypt/isrg-intermediate-r3.pem /usr/share/pki/ca-trust-source/anchors/ /usr/bin/ln -s /usr/share/pki/letsencrypt/trustid-root-x3.pem /usr/share/pki/ca-trust-source/blacklist /usr/bin/update-ca-trust --8<---------------cut here---------------end--------------->8--- Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Factory and User Sound Singles for Waldorf Q+, Q and microQ: http://Synth.Stromeko.net/Downloads.html#WaldorfSounds -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |