The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Jailshell access to /etc/pki/ files for certificate verification

Discussion in 'General Discussion' started by neilb2, Nov 6, 2015.

  1. neilb2

    neilb2 Registered

    Joined:
    Jan 10, 2004
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hi all,

    Are jailshell users supposed to have access to these files?
    • /etc/pki/tls/certs/ca-bundle.crt which is a symlink to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
    • /etc/pki/tls/certs/ca-bundle.trust.crt which is a symlink to /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
    Jailshell users currently get certificate verification errors when accessing SSL websites, such as

    curl: (77) Problem with the SSL CA cert (path? access rights?)


    which seems to be because they don't have access to these files (the actual files, not the symlinks). Indeed the actual files have 444 permissions and are owned by root.

    There was a cPanel internal case 80653 which was for allowing jailshell users access to these certificate verification files, but the case only refers to the filenames in /etc/pki/tls/certs/ which are now symlinks, not the newer filenames. I'm wondering whether this position was reversed, perhaps because it subsequently became a security risk for these files to be accessible by jailshell users...?

    This lack of access is present on all servers I run (CentOS 6 and 7) so I'm thinking that there was a change at some point, but I can't find it.

    So, is it safe for jailshell users to have access to these files, and if so what's the official (or otherwise best) way to achieve this, so that users can for example use curl without issues (and without using -k to supress the errors)?

    Thanks
    neilb2
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. neilb2

    neilb2 Registered

    Joined:
    Jan 10, 2004
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hi cPanelMichael,

    Thanks for your response.

    No, I'm not using Cloud Linux but that thread did remind me to mention that this is with noshell also (cron jobs etc). Full shell is fine though, but most of the accounts in my situation are jail or noshell, for example running cron jobs or manually run commands that run CMS maintenance scripts on SSL-only sites (and I would rather fix the issue than have curl ignore the certificate errors).

    It seems as though CentOS 7 has a different file structure for these files, with the original files now being symlinks, and the cPanel permission settings aren't taking account of it for jailshell and noshell users.

    It looks from your reply that this is supposed to work (as you didn't just say "no, the lack of access is intended behaviour") so I'm hoping that a full-on fix can be found.

    So any further help is welcome, thank you :)
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
Loading...

Share This Page