Fix certificate permissions

Got a feature request? Great! Post your ideas here!

Moderator: Lillian.W@AST

Post Reply
thestevbev
Posts: 2
youtube meble na wymiar Warszawa
Joined: Sun Aug 22, 2021 9:49 am

Fix certificate permissions

Post by thestevbev »

By default the permissions on certificates found in /usr/builtin/etc/certificate are set to permission mode 050 (----r-x---). This prevents the certificates from being used by apps not running as root user. Please update the certificate permissions to permission mode 644 (-rw-r--r--) to allow other apps that drop root privileges to use the default system certificates.

For reference, the ASUSTOR Portainer package mounts the default system certificates into the docker container. Since portainer is running as root, it is able to access the certificates and secure the connection. This pattern of mounting the default system certificate fails on docker containers that drop root privileges, since the non-root user does not have permission to read the 050 permission certificates.
User avatar
Nazar78
Posts: 2002
Joined: Wed Jul 17, 2019 10:21 pm
Location: Singapore
Contact:

Re: Fix certificate permissions

Post by Nazar78 »

What is your specs and ADM version? If you look at the /usr/builtin/etc.default/certificate the dir by default is is 755 and and contents are 644. Could there be any apps modifying your /usr/builtin/etc/certificate/* ? Suggest you contact Asustor Support.
AS5304T - 16GB DDR4 - ADM-OS modded on 2GB RAM
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps

When posting, consider checking the box "Notify me when a reply is posted" to get faster response
thestevbev
Posts: 2
Joined: Sun Aug 22, 2021 9:49 am

Re: Fix certificate permissions

Post by thestevbev »

Thanks for the reply! I think you are reviewing permissions in the wrong directory, the correct path of the system certificates is /usr/builtin/etc/certificate/, not /usr/builtin/etc.default/certificate/ that you checked.

There are no apps changing permissions on the system certificates. I can see after certificate generation by ADM that the certificate files are created with permissions (050), on AS5002 and AS6604. This does not affect ADM because the system processes are running as root and can read the files regardless of permissions. The permissions issue also does not affect the Portainer app because it is also running as root. It is only trying to access the system certificates as a non-root user that the problem is encountered.

Since this is a change request for ADM handling of certificates, I thought putting it into the Feature Request section of the forum would be the proper place. You make a good point that this could also be considered a support issue, I will try there also.

Cheers!
User avatar
Nazar78
Posts: 2002
Joined: Wed Jul 17, 2019 10:21 pm
Location: Singapore
Contact:

Re: Fix certificate permissions

Post by Nazar78 »

I did purposely pointed to /usr/builtin/etc.default/certificate/ because by default this is the initial cert copied to the config when you first initialize the ADM NAS. However I'm not using this cert manager utility, I'm managing my own certs in chroot, so I wasn't aware the newly generated has the 050 permissions. So please do contact Asustor Support directly, hope they will be able to fix this the next release.
AS5304T - 16GB DDR4 - ADM-OS modded on 2GB RAM
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps

When posting, consider checking the box "Notify me when a reply is posted" to get faster response
ndl101
Posts: 57
Joined: Sun Jul 11, 2021 4:32 pm

Re: Fix certificate permissions

Post by ndl101 »

Default and unchanged permissions for me:

Code: Select all

admin@asnas:/volume1/home/admin $ ls -la /usr/builtin/etc/certificate/ | grep ssl
drwxr-xr-x    3 root     root          4096 Jul 26 15:36 ssl/
-rw-r--r--    1 root     root          1346 Jul 26 15:36 ssl.crt
-rw-r--r--    1 root     root          1679 Jul 26 15:36 ssl.key
-rw-r--r--    1 root     root          3025 Jul 26 15:36 ssl.pem

admin@asnas:/volume1/home/admin $ ls -la /usr/builtin/etc.default/certificate/ | grep ssl
-rw-r--r--    1 root     root          1346 Dec 11  2012 ssl.crt
-rw-r--r--    1 root     root          1679 Dec 11  2012 ssl.key
-rw-r--r--    1 root     root          3025 Dec 11  2012 ssl.pem

admin@asnas:/volume1/home/admin $ ls -la /usr/builtin/etc.default | grep certificate 
drwxr-xr-x    2 root     root          4096 Jul 26 18:05 certificate/

admin@asnas:/volume1/home/admin $ ls -la /usr/builtin/etc | grep certificate 
drwxr-xr-x    4 root     root          4096 Aug 24 00:00 certificate/
Nazar78 wrote:What is your specs and ADM version?
this...
Nazar78 wrote:If you look at the /usr/builtin/etc.default/certificate the dir by default is is 755 and and contents are 644. Could there be any apps modifying your /usr/builtin/etc/certificate/* ?
this...
Nazar78 wrote:Suggest you contact Asustor Support.
and this...

I made it long as I lacked the time to make it short.

---
Help to self-help:
How to ask (good) questions in a forum
---
General information
Location: Denmark
OS: Ubuntu 20.04
NAS: Lockerstor 4 (AS6604T)
User avatar
Nazar78
Posts: 2002
Joined: Wed Jul 17, 2019 10:21 pm
Location: Singapore
Contact:

Re: Fix certificate permissions

Post by Nazar78 »

Ah ok, obviously I wasn't using Asustor's certificate manager to know what it's doing as I'm managing my own certs in chroot. Today I was just playing around to add ECC certs in ADM which I have been using whether it's already natively supported apparently not (you can however replace them physically and still works). Then I noticed the newly added cert (perhaps auto updated ones too) has these weird perms 0350:

Code: Select all

root@Nimbustor4:/usr/builtin/etc/certificate # ll ssl/b803f8c9-6da3-4d72-b8e1-15da5195c35d/
total 28K
drwx------    2 root     root        4.0K Sep  2 04:25 ./
drwxr-xr-x    4 root     root        4.0K Sep  2 04:25 ../
--wxr-x---    1 root     root        5.6K Sep  2 04:25 ssl.crt*
--wxr-x---    1 root     root        1.6K Sep  2 04:25 ssl.key*
--wxr-x---    1 root     root        7.3K Sep  2 04:25 ssl.pem*
But to think of it again, it's still correct that these are not readable by others except root, especially the key/pem you really don't want to expose them world readable. Anyway your non-privileged apps would still need the key/pem to use the cert but the keys are supposed to be private. Hence I'm not sure Asustor would let these keys readable to non-root.

You can however apply some tricks how your apps handle the certs. For me I use passwordless scp/ssh as root to copy certs then restart the ADM services upon cert updates. For your case perhaps modify the app's init to do the same before starting the daemon? I'm not sure though how you would trigger cert upgraded event with these apps using ADM cert manager. Perhaps trigger app restart after that specific timing when the cert supposed to upgrade?
AS5304T - 16GB DDR4 - ADM-OS modded on 2GB RAM
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps

When posting, consider checking the box "Notify me when a reply is posted" to get faster response
Post Reply

Return to “Feature Requests”