By default the permissions on certificates found in /usr/builtin/etc/certificate are set to permission mode 050 (----r-x---). This prevents the certificates from being used by apps not running as root user. Please update the certificate permissions to permission mode 644 (-rw-r--r--) to allow other apps that drop root privileges to use the default system certificates.
For reference, the ASUSTOR Portainer package mounts the default system certificates into the docker container. Since portainer is running as root, it is able to access the certificates and secure the connection. This pattern of mounting the default system certificate fails on docker containers that drop root privileges, since the non-root user does not have permission to read the 050 permission certificates.
Fix certificate permissions
-
- Posts: 2
- youtube meble na wymiar Warszawa
- Joined: Sun Aug 22, 2021 9:49 am
- Nazar78
- Posts: 2080
- Joined: Wed Jul 17, 2019 10:21 pm
- Location: Singapore
- Contact:
Re: Fix certificate permissions
What is your specs and ADM version? If you look at the /usr/builtin/etc.default/certificate the dir by default is is 755 and and contents are 644. Could there be any apps modifying your /usr/builtin/etc/certificate/* ? Suggest you contact Asustor Support.
AS5304T - 16GB DDR4 - ADM-OS modded on 2GB RAM
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps
When posting, consider checking the box "Notify me when a reply is posted" to get faster response
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps
When posting, consider checking the box "Notify me when a reply is posted" to get faster response
-
- Posts: 2
- Joined: Sun Aug 22, 2021 9:49 am
Re: Fix certificate permissions
Thanks for the reply! I think you are reviewing permissions in the wrong directory, the correct path of the system certificates is /usr/builtin/etc/certificate/, not /usr/builtin/etc.default/certificate/ that you checked.
There are no apps changing permissions on the system certificates. I can see after certificate generation by ADM that the certificate files are created with permissions (050), on AS5002 and AS6604. This does not affect ADM because the system processes are running as root and can read the files regardless of permissions. The permissions issue also does not affect the Portainer app because it is also running as root. It is only trying to access the system certificates as a non-root user that the problem is encountered.
Since this is a change request for ADM handling of certificates, I thought putting it into the Feature Request section of the forum would be the proper place. You make a good point that this could also be considered a support issue, I will try there also.
Cheers!
There are no apps changing permissions on the system certificates. I can see after certificate generation by ADM that the certificate files are created with permissions (050), on AS5002 and AS6604. This does not affect ADM because the system processes are running as root and can read the files regardless of permissions. The permissions issue also does not affect the Portainer app because it is also running as root. It is only trying to access the system certificates as a non-root user that the problem is encountered.
Since this is a change request for ADM handling of certificates, I thought putting it into the Feature Request section of the forum would be the proper place. You make a good point that this could also be considered a support issue, I will try there also.
Cheers!
- Nazar78
- Posts: 2080
- Joined: Wed Jul 17, 2019 10:21 pm
- Location: Singapore
- Contact:
Re: Fix certificate permissions
I did purposely pointed to /usr/builtin/etc.default/certificate/ because by default this is the initial cert copied to the config when you first initialize the ADM NAS. However I'm not using this cert manager utility, I'm managing my own certs in chroot, so I wasn't aware the newly generated has the 050 permissions. So please do contact Asustor Support directly, hope they will be able to fix this the next release.
AS5304T - 16GB DDR4 - ADM-OS modded on 2GB RAM
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps
When posting, consider checking the box "Notify me when a reply is posted" to get faster response
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps
When posting, consider checking the box "Notify me when a reply is posted" to get faster response
-
- Posts: 59
- Joined: Sun Jul 11, 2021 4:32 pm
Re: Fix certificate permissions
Default and unchanged permissions for me:
Code: Select all
admin@asnas:/volume1/home/admin $ ls -la /usr/builtin/etc/certificate/ | grep ssl
drwxr-xr-x 3 root root 4096 Jul 26 15:36 ssl/
-rw-r--r-- 1 root root 1346 Jul 26 15:36 ssl.crt
-rw-r--r-- 1 root root 1679 Jul 26 15:36 ssl.key
-rw-r--r-- 1 root root 3025 Jul 26 15:36 ssl.pem
admin@asnas:/volume1/home/admin $ ls -la /usr/builtin/etc.default/certificate/ | grep ssl
-rw-r--r-- 1 root root 1346 Dec 11 2012 ssl.crt
-rw-r--r-- 1 root root 1679 Dec 11 2012 ssl.key
-rw-r--r-- 1 root root 3025 Dec 11 2012 ssl.pem
admin@asnas:/volume1/home/admin $ ls -la /usr/builtin/etc.default | grep certificate
drwxr-xr-x 2 root root 4096 Jul 26 18:05 certificate/
admin@asnas:/volume1/home/admin $ ls -la /usr/builtin/etc | grep certificate
drwxr-xr-x 4 root root 4096 Aug 24 00:00 certificate/
this...Nazar78 wrote:What is your specs and ADM version?
this...Nazar78 wrote:If you look at the /usr/builtin/etc.default/certificate the dir by default is is 755 and and contents are 644. Could there be any apps modifying your /usr/builtin/etc/certificate/* ?
and this...Nazar78 wrote:Suggest you contact Asustor Support.
I made it long as I lacked the time to make it short.
---
Help to self-help:
How to ask (good) questions in a forum
---
General information
Location: Denmark
OS: Ubuntu 20.04
NAS: Lockerstor 4 (AS6604T)
- Nazar78
- Posts: 2080
- Joined: Wed Jul 17, 2019 10:21 pm
- Location: Singapore
- Contact:
Re: Fix certificate permissions
Ah ok, obviously I wasn't using Asustor's certificate manager to know what it's doing as I'm managing my own certs in chroot. Today I was just playing around to add ECC certs in ADM which I have been using whether it's already natively supported apparently not (you can however replace them physically and still works). Then I noticed the newly added cert (perhaps auto updated ones too) has these weird perms 0350:
But to think of it again, it's still correct that these are not readable by others except root, especially the key/pem you really don't want to expose them world readable. Anyway your non-privileged apps would still need the key/pem to use the cert but the keys are supposed to be private. Hence I'm not sure Asustor would let these keys readable to non-root.
You can however apply some tricks how your apps handle the certs. For me I use passwordless scp/ssh as root to copy certs then restart the ADM services upon cert updates. For your case perhaps modify the app's init to do the same before starting the daemon? I'm not sure though how you would trigger cert upgraded event with these apps using ADM cert manager. Perhaps trigger app restart after that specific timing when the cert supposed to upgrade?
Code: Select all
root@Nimbustor4:/usr/builtin/etc/certificate # ll ssl/b803f8c9-6da3-4d72-b8e1-15da5195c35d/
total 28K
drwx------ 2 root root 4.0K Sep 2 04:25 ./
drwxr-xr-x 4 root root 4.0K Sep 2 04:25 ../
--wxr-x--- 1 root root 5.6K Sep 2 04:25 ssl.crt*
--wxr-x--- 1 root root 1.6K Sep 2 04:25 ssl.key*
--wxr-x--- 1 root root 7.3K Sep 2 04:25 ssl.pem*
You can however apply some tricks how your apps handle the certs. For me I use passwordless scp/ssh as root to copy certs then restart the ADM services upon cert updates. For your case perhaps modify the app's init to do the same before starting the daemon? I'm not sure though how you would trigger cert upgraded event with these apps using ADM cert manager. Perhaps trigger app restart after that specific timing when the cert supposed to upgrade?
AS5304T - 16GB DDR4 - ADM-OS modded on 2GB RAM
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps
When posting, consider checking the box "Notify me when a reply is posted" to get faster response
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps
When posting, consider checking the box "Notify me when a reply is posted" to get faster response