Permission denied while openig a certificate
Hi all... This is my last resource and I should say that I'm desperate... I've to make a release and I don't know how to solve the following. I'm working in a project using Linux Fedora Core 4 + MySQL + sendmail + our own services and daemons. This release include many security enhancements. Using secure SSL connections with the service is one of the most important. I know this is not a MySQL discussion list, but the guys in MySQL list and Fedora list did not help me. Ok, the facts... I've created my own certificates, I've configure MySQL accordint to the documentation, but... I'm watching a very estrange behaviour. If I start MySQL from the /etc/rc.d/init.d/ folder I get a permission denied reading the .pem files. But then if I copy the same script to a different folder and run it from there, this error disappear, just like that. The .pem files are chmoded to 777 and owned as root.mysql. I've even used strace triying to find a hidden previous error condition but nothing new, the open system call fails returning EACCESS. I write to this list because the error is reported by the openssl library, used by MySQL but maybe you have hear it before. I'll appreciate any help, thanks in advance for your time cheers -- Israel Fdez. Cabrera [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Permission denied while openig a certificate
The permissions you need on these files are "444" not "777", but that's not your problem.I believe that mysql runs as a user other than root. On most systems a seperate "mysql" user account is created and the daemon switches to that account at startup.The EACCESS error would mean that some directory along the full path does not have the x bit set in a way that is useful for the mysql user. Make sure that every directory from "/" on down to the file has the x bit set in the "other" position."ls" with the -ld options will be your friend in this case as you examine each and every directory along the path to the file.On Oct 15, 2005, at 9:16 AM, Israel Fernández Cabrera wrote:The .pem files are chmoded to 777 and owned as root.mysql. I've even used strace triying to find a hidden previous error condition but nothing new, the open system call fails returning EACCESS. smime.p7s Description: S/MIME cryptographic signature
Re: Permission denied while openig a certificate
Thanks Joseph for your quick response, it is the first one since I'm struggling with this issue. I'd like the solution would be as simple, that is why I said before this is an annoying issue. All the folders in the path to the certificates file has x bit set, just to be sure I've checked it again. I changed the owners of the .pem files from root.mysql to mysql.mysql and fixing my permission paranoia I chmod from 777 to 444 the certificates too. Result: same problem Any hint? I gave an eye to the openssl source code reported in the mysqld.log file but I found nothing interesting... thanks in advance -- Israel Fdez. Cabrera [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Permission denied while openig a certificate
The man page for open(2) gives these following reasons for EACCESS: [EACCES] Search permission is denied for a component of the path prefix. [EACCES] The required permissions (for reading and/or writing) are denied for the given flags. [EACCES] O_CREAT is specified, the file does not exist, and the directory in which it is to be created does not permit writing. Are you sure it's the certificate or key files that are causing open (2) to fail? On Oct 15, 2005, at 11:35 AM, Israel Fernández Cabrera wrote: Thanks Joseph for your quick response, it is the first one since I'm struggling with this issue. I'd like the solution would be as simple, that is why I said before this is an annoying issue. All the folders in the path to the certificates file has x bit set, just to be sure I've checked it again. I changed the owners of the .pem files from root.mysql to mysql.mysql and fixing my permission paranoia I chmod from 777 to 444 the certificates too. Result: same problem Any hint? I gave an eye to the openssl source code reported in the mysqld.log file but I found nothing interesting... thanks in advance -- Israel Fdez. Cabrera [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
Re: Permission denied while openig a certificate
That is a good question but I guess it is.. please see the attached
files for more information.
They are...
lsoutput.txt: I made ls in all the path to the certificates files
mysqld.log: Mysqld log file, interesting because it contains the
specific error, openssl .c files, line numbers (that by the way does
not match with the actual file, because of comment I guess), and
more..
strace.txt: a fragment of the mysqld strace output with the failing open call...
I must thak you for the help and interest
best regards
Israel
--
Israel Fdez. Cabrera
[EMAIL PROTECTED]
#ls / | grep etc
drwxr-xr-x 83 root root 12288 Oct 15 16:50 etc
#ls /etc | grep pki
drwxr-xr-x 7 root root4096 Oct 14 17:51 pki
#ls /etc/pki
total 104
drwxr-xr-x 3 root root 4096 Oct 14 21:46 CA
drwxr-xr-x 3 root root 4096 Oct 8 16:54 dovecot
-rwxr-xr-x 1 root root 1088 Oct 8 16:54 gencert.sh
-rwxr-xr-x 1 root root 1056 Oct 8 16:54 gencert.sh~
-rw-r--r-- 1 root root 236 Oct 8 16:54 index.txt
-rw-r--r-- 1 root root 21 Oct 8 16:54 index.txt.attr
-rw-r--r-- 1 root root 21 Oct 8 16:54 index.txt.attr.old
-rw-r--r-- 1 root root 118 Oct 8 16:54 index.txt.old
drwxr-xr-x 2 root root 4096 Oct 8 16:54 newcerts
drwxr-xr-x 2 root root 4096 Oct 8 16:54 rpm-gpg
-rw-r--r-- 1 root root3 Oct 8 16:54 serial
-rw-r--r-- 1 root root3 Oct 8 16:54 serial.old
drwxr-xr-x 5 root root 4096 Oct 14 17:51 tls
#ls /etc/pki/tls
total 40
lrwxrwxrwx 1 root root 19 Oct 8 16:54 cert.pem - certs/ca-bundle.crt
drwxr-xr-x 2 root root 4096 Oct 15 14:18 certs
drwxr-xr-x 2 root root 4096 Oct 8 16:54 misc
-r--r--r-- 1 root root 7998 Oct 14 17:59 openssl.cnf
drwxr-xr-x 2 root root 4096 Oct 8 16:54 private
#ls /etc/pki/tls/certs
total 492
-rw-r--r-- 1 root root 427833 Oct 8 16:54 ca-bundle.crt
-rw-r--r-- 1 root root3617 Oct 14 21:46 client-cert.pem
-rw-r--r-- 1 root mysql887 Oct 8 16:54 client-key.pem
-rw-r--r-- 1 root mysql769 Oct 8 16:54 client-req.pem
-rw-r--r-- 1 root root 610 Oct 8 16:54 make-dummy-cert
-rw-r--r-- 1 root root2240 Oct 8 16:54 Makefile
-rw-r--r-- 1 root root3617 Oct 14 21:46 server-cert.pem
-rw-r--r-- 1 root root 887 Oct 14 21:46 server-key.pem
-rw-r--r-- 1 root mysql769 Oct 8 16:54 server-req.pem
mysqld.log
Description: Binary data
open(/etc/pki/tls/certs/server-cert.pem, O_RDONLY) = -1 EACCES (Permission
denied)
write(2, Error when connection to server ..., 42) = 42
write(2, 1872:error:0200100D:system libra..., 122) = 122
write(2, 1872:error:20074002:BIO routines..., 70) = 70
write(2, 1872:error:140AD002:SSL routines..., 88) = 88
write(2, Unable to get certificate from \'..., 68) = 68
open(/etc/pki/CA/cacert.pem, O_RDONLY) = -1 EACCES (Permission denied)
open(/etc/pki/tls/cert.pem, O_RDONLY) = -1 EACCES (Permission denied)
time([1129246383]) = 1129246383
open(/dev/urandom, O_RDONLY|O_NONBLOCK|O_NOCTTY) = -1 EACCES (Permission
denied)
open(/dev/random, O_RDONLY|O_NONBLOCK|O_NOCTTY) = -1 EACCES (Permission
denied)
open(/dev/srandom, O_RDONLY|O_NONBLOCK|O_NOCTTY) = -1 ENOENT (No such file or
directory)
socket(PF_FILE, SOCK_STREAM, 0) = 3
connect(3, {sa_family=AF_FILE, path=/var/run/egd-pool}, 19) = -1 ENOENT (No
such file or directory)
close(3)= 0
socket(PF_FILE, SOCK_STREAM, 0) = 3
