[Freeipa-devel] [PATCH] 1059 single CRL generator
Ade Lee
alee at redhat.com
Fri Oct 5 19:36:05 UTC 2012
On Fri, 2012-10-05 at 12:26 -0400, Simo Sorce wrote:
> On Fri, 2012-10-05 at 12:19 -0400, Ade Lee wrote:
> > On Fri, 2012-10-05 at 16:45 +0200, Martin Kosek wrote:
> > > On 10/05/2012 10:59 AM, Martin Kosek wrote:
> > > > On 10/04/2012 06:17 PM, Rob Crittenden wrote:
> > > >> This changes the way IPA generates CRLs for new installs only.
> > > >>
> > > >> The first master installed is configured as the CRL generator. An entry is
> > > >> added to cn=masters that designates it.
> > > >>
> > > >> When a replica is installed it queries this entry so it knows where to forward
> > > >> CRL requests. CRL files are not available on cloned CAs (so /ipa/crl will
> > > >> return not found). It is possible to get a CRL directly from the clone CA via
> > > >> http://<hostname>:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
> > > >>
> > > >> rob
> > >
> > > ...
> > >
> > > > 3) Majorish issue I hit with the actual CRL publishing on our server (F17). I
> > > > always get 403 Forbidden error when trying to download CRL from the CRL master:
> > > >
> > > > # wget --ca-certificate /etc/ipa/ca.crt https://`hostname`/ipa/crl/MasterCRL.bin
> > > > --2012-10-05 03:32:58--
> > > > https://vm-120.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin
> > > > Resolving vm-120.idm.lab.bos.redhat.com... 10.16.78.120
> > > > Connecting to vm-120.idm.lab.bos.redhat.com|10.16.78.120|:443... connected.
> > > > HTTP request sent, awaiting response... 403 Forbidden
> > > > 2012-10-05 03:32:58 ERROR 403: Forbidden.
> > > >
> > > > I tracked the problem down to too strict permission on /var/lib/pki-ca
> > > > directory which is being published by httpd which does not have access to it:
> > > >
> > > > # ll /var/lib/pki-ca
> > > >
> > > > drwxrwx---. 11 pkiuser pkiuser 4096 Oct 5 03:00 pki-ca
> > > >
> > > > When I fixed the permission:
> > > > # chmod o+x /var/lib/pki-ca/
> > > >
> > > > I was able to get pass the Forbidden error and actually retrieved the CRL.
> > > > Adding Ade on CC list to follow on this permission issue.
> > >
> > > FYI - I filed a ticket for this issue:
> > > https://fedorahosted.org/freeipa/ticket/3144
> > >
> > > I plan to simply fix permission on /var/lib/pki-ca/ in a similar way we do for
> > > /var/lib/pki-ca/publish/
> > >
> >
> > Sorry, but why do you need permissions on /var/lib/pki-ca? Aren't
> > permissions on /var/lib/pki-ca/publish sufficient?
>
> Ade,
> on unix filesystems you cannot traverse a directory path if you do not
> have permission all the way through.
> If 'others' can't access /var/lib/pki-ca they will never even reach the
> point where they can see that they have access to a subdirectory.
> The very minimum permission you need to be able to traverse directories
> is to have the 'traverse' (x) bit set. (note that you do not need the
> read (r) bit set just to traverse).
>
I suspected as much, but wanted to confirm.
The decision to publish the CRL to /var/lib/pki-ca/publish is an IPA
deployment decision. This is a directory that is created by the IPA
install scripts. Other folks who deploy Dogtag may choose to publish
elsewhere - like under /var/www/... for instance. A location outside of
the pki-ca tree seems like a safer option to me, rather than allowing
"other" to step through /var/lib/pki-ca ...
In any case, if you do decide to leave the publishing directory in that
location, you will need to also set the +x permissions for other
on /var/lib/pki-ca in the IPA install scripts.
Ade
> Simo.
>
More information about the Freeipa-devel
mailing list