Bug #15806: Agent should not try to set permission of certificate if it is a symbolic link - Rudder - Issue Tracker

Actions

Bug #15806

closed

Bug #15801: Rudder agent cannot copy the certificate if the user defined one that is a link to a file in a different mount point

Agent should not try to set permission of certificate if it is a symbolic link

Added by Nicolas CHARLES about 5 years ago. Updated about 4 years ago.

Status:

Released

Priority:

N/A

Assignee:

Alexis Mousset

Category:

System techniques

Target version:

5.0.14

Pull Request:

https://github.com/Normation/rudder-t...

Severity:

UX impact:

User visibility:

Effort required:

Priority:

Name check:

Reviewed

Fix check:

Error - Next version

Regression:

Description

rudder.crt may be a symbolic link, in this case, the resulting ca.cert will also be a symbolic link, and agnt should not try to envorce permissions on the link - it may cause mayhem

Subtasks 1 (0 open — 1 closed)

Actions

Copy link

Updated by Nicolas CHARLES about 5 years ago

Status changed from New to In progress
Assignee set to Nicolas CHARLES

Actions

Copy link

Updated by Nicolas CHARLES about 5 years ago

Status changed from In progress to Pending technical review
Assignee changed from Nicolas CHARLES to Alexis Mousset
Pull Request set to https://github.com/Normation/rudder-techniques/pull/1517

PR https://github.com/Normation/rudder-techniques/pull/1517

Actions

Copy link

Updated by Nicolas CHARLES about 5 years ago

Status changed from Pending technical review to Pending release

Applied in changeset rudder-techniques|86809e1c2efe7bc0ab87eb12d7b15a8191825f51.

Actions

Copy link

Updated by Alexis Mousset about 5 years ago

Name check changed from To do to Reviewed

Actions

Copy link

Updated by François ARMAND about 5 years ago

Name check changed from Reviewed to To do
Fix check changed from To do to Error - Blocking

So, it is still broken.

Orig:

root@server:~# ls -la /opt/rudder/etc/ssl/
drwxr-xr-x 2 root root     4096 Oct  9 13:50 .
drwxr-xr-x 9 root root     4096 Oct  9 13:18 ..
-rw------- 1 root root     1375 Oct  9 13:50 ca.cert
-rw-r--r-- 1 root root      781 Nov 22  2017 openssl.cnf
-rw-r--r-- 1 root root     1375 Oct  9 07:35 rudder.crt
-rw-r----- 1 root www-data 1708 Oct  9 07:35 rudder.key

Changed to:

root@server:~# ls -la /opt/rudder/etc/ssl/
total 28
drwxr-xr-x 2 root root     4096 Oct  9 13:52 .
drwxr-xr-x 9 root root     4096 Oct  9 13:18 ..
-rw------- 1 root root     1375 Oct  9 13:50 ca.cert
-rw-r--r-- 1 root root      781 Nov 22  2017 openssl.cnf
lrwxrwxrwx 1 root root       35 Oct  9 13:52 rudder.crt -> /opt/rudder/etc/ssl/rudder.crt_orig
-rw-r--r-- 1 root root     1375 Oct  9 07:35 rudder.crt_orig
lrwxrwxrwx 1 root root       35 Oct  9 13:52 rudder.key -> /opt/rudder/etc/ssl/rudder.key_orig
-rw-r----- 1 root www-data 1708 Oct  9 07:35 rudder.key_orig

I get with rudder agent run -i:

   error: Object '/opt/rudder/etc/ssl/ca.cert' exists and is obstructing our promise
   error: Unable to create link '/opt/rudder/etc/ssl/ca.cert' -> '/opt/rudder/etc/ssl/rudder.crt_orig', failed to move obstruction

Actions

Copy link