Bug #2965

Permission denied when creating VPN users

Added by Davide Marini over 6 years ago. Updated over 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-lib
Target version:v6.5
Security class: Resolution:
Affected version:v6.5 NEEDINFO:No

Description

Installed the VPN package. Loading the VPN configuration page gives this error below the content on all VPN tab pages:

[2] file(/var/lib/nethserver/certs/certindex): failed to open stream: Permission denied See the system log for details.

/var/log/messages offers this:

Nov 25 20:29:50 neth httpd-admin: [ERROR] Can't access certificate index file: /var/lib/nethserver/certs/certindex
Nov 25 20:29:50 neth httpd-admin: [2] file(/var/lib/nethserver/certs/certindex): failed to open stream: Permission denied - File /usr/share/nethesis/NethServer/Module/VPN/Accounts.php, line 105

It appears the ipsec service is started, but when I try to add a user, I again get the unable to open stream error:

[2] file(/var/lib/nethserver/certs/certindex): failed to open stream: Permission denied

See the system log for details.

bug2965_nethserver-lib.patch Magnifier (352 Bytes) Davide Principi, 11/27/2014 08:12 AM

bug2965_nethserver-vpn.patch Magnifier (559 Bytes) Davide Principi, 11/27/2014 08:12 AM

Associated revisions

Revision d59b9067
Added by Davide Principi over 6 years ago

Fix certindex file permissions. Refs #2965

Revision 04ab7be3
Added by Davide Principi over 6 years ago

Keep umask value unaltered. Refs #2965

Revision beb5f12e
Added by Davide Principi over 6 years ago

Refactored, using a symbolic dir name. Refs #2965

Added license header.

Revision c5479e4b
Added by Davide Principi over 6 years ago

Accounts UI module: wrap PHP file() call. Refs #2965

Failures will be reported to the log file only.

Revision bc784340
Added by Davide Principi over 6 years ago

Merge branch 'b2965'. Refs #2965

History

#1 Updated by Filippo Carletti over 6 years ago

Temporary workaround:

chmod o+r /var/lib/nethserver/certs/certindex

#2 Updated by Davide Principi over 6 years ago

  • Subject changed from Impossible to create vpn users, permission problems to Permission denied when creating VPN users
  • Category set to nethserver-lib
  • Status changed from NEW to TRIAGED
  • Target version set to v6.5
  • % Done changed from 0 to 20
  • Affected version set to v6.5

I cannot reproduce the bug if nethserver-vpn is installed from the command line, proving that wrong permissions on /var/lib/nethserver/certs/certindex originate elsewhere.

In nethserver-lib-2.1.2-1.ns6.noarch, for instance the new umask settings of ptrack are probably not compatible.

I propose to fix the umask in nethserver-lib and apply the proposed workaround automatically.

#3 Updated by Davide Principi over 6 years ago

Proposed patches for nethserver-lib and nethserver-vpn

#4 Updated by Davide Principi over 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#5 Updated by Davide Principi over 6 years ago

  • Description updated (diff)
  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

MODIFIED

The bug affects nethserver-lib package. The ptrack command must not alter the calling process umask value.

The modification of nethsever-vpn fixes existing permission problems for the affected installation, while nethserver-lib has the real bugfix.

#6 Updated by Davide Principi over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing
nethserver-lib-2.1.2-1.0git04ab7be3.ns6.noarch.rpm
nethserver-vpn-1.1.2-3.0gitd9066df4.ns6.noarch.rpm
nethserver-vpn-1.1.2-4.0gitbc784340.ns6.noarch.rpm

#7 Updated by Filippo Carletti over 6 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

Affected system:

# ls -l /var/lib/nethserver/certs/certindex
-rw-r-----. 1 root root 0 Nov 27 17:41 /var/lib/nethserver/certs/certindex
# yum --enablerepo=nethserver-testing update nethserver-vpn
# ls -l /var/lib/nethserver/certs/certindex
-rw-r--r--. 1 root root 0 Nov 27 17:41 /var/lib/nethserver/certs/certindex

New system:

# yum --enablerepo=nethserver-testing update nethserver-lib

Install vpn from package manager:
# ls -l /var/lib/nethserver/certs/certindex
-rw-r--r--. 1 root root 0 Nov 27 17:41 /var/lib/nethserver/certs/certindex

#8 Updated by Davide Principi over 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-lib-2.1.3-1.ns6.noarch.rpm
nethserver-vpn-1.1.3-1.ns6.noarch.rpm

Acknowledgements
  • Davide Marini
  • Jeff Folk
  • Filippo Carletti

Also available in: Atom PDF