Bug 248314 - security/ca_root_nss wrong link for cert.pem
Summary: security/ca_root_nss wrong link for cert.pem
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Ports Security Team
URL:
Keywords: needs-patch, regression
Depends on:
Blocks: 222262
  Show dependency treegraph
 
Reported: 2020-07-28 09:11 UTC by Jonas Palm
Modified: 2020-10-12 06:52 UTC (History)
6 users (show)

See Also:
bugzilla: maintainer-feedback? (ports-secteam)
jbeich: maintainer-feedback+


Attachments
v1 (628 bytes, patch)
2020-10-04 13:21 UTC, Mikael Urankar
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jonas Palm 2020-07-28 09:11:36 UTC
With ca_root_nss version 3.54 the do-install-ETCSYMLINK-on target changed from:

${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem

to

${LN} -sf ../..${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem

which creates the following symlink in /usr/local/etc/ssl now:
cert.pem@ -> ../../usr/local/share/certs/ca-root-nss.crt
which obviously doesn't exist.

The ../.. in front should be removed.
Comment 1 Jonas Palm 2020-07-28 09:15:38 UTC
(In reply to Jonas Palm from comment #0)

sorry, not the update to 3.54 but the update after (revision 542936) caused this
Comment 2 Jan Beich freebsd_committer 2020-07-28 13:02:45 UTC
(In reply to Jonas Palm from comment #0)
> creates ... symlink ... which obviously doesn't exist.

I can't reproduce in 12.1 amd64 jail: all symlinks are valid as of 3.55.

$ pkg install ca_root_nss

$ head -2 /usr/local/etc/ssl/cert.pem.sample
##
##  ca-root-nss.crt -- Bundle of CA Root Certificates

$ head -2 /usr/local/openssl/cert.pem.sample
##
##  ca-root-nss.crt -- Bundle of CA Root Certificates

$ head -2 /etc/ssl/cert.pem
##
##  ca-root-nss.crt -- Bundle of CA Root Certificates
Comment 3 Jonas Palm 2020-07-28 14:18:53 UTC
Yes, sorry. My assertion about the update was wrong. I somehow saw another ${PREFIX} in the links target.


My problem still exists though. If I install the most recent version of ca_root_nss the links target of /usr/local/etc/ssl/cert.pem changes to ../../usr/local/share/certs/ca-root-nss.crt

I can reproduce the following on multiple servers:

$ ln -s /usr/local/share/certs/ca-root-nss.crt cert.pem

$ head -2 /usr/local/etc/ssl/cert.pem
##
##  ca-root-nss.crt -- Bundle of CA Root Certificates

$ pkg install -f ca_root_nss
Updating jail repository catalogue...
jail repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
	ca_root_nss-3.55

Number of packages to be reinstalled: 1

Proceed with this action? [Y/n]: 
[myserver] [1/1] Reinstalling ca_root_nss-3.55...
[myserver] [1/1] Extracting ca_root_nss-3.55: 100%
cp: /usr/local/etc/ssl/cert.pem: No such file or directory

$ ls -l /usr/local/etc/ssl/cert.pem
lrwxr-xr-x  1 root  wheel  43 28 Juli 15:11 /usr/local/etc/ssl/cert.pem -> ../../usr/local/share/certs/ca-root-nss.crt

$ head -2 /usr/local/etc/ssl/cert.pem
head: /usr/local/etc/ssl/cert.pem: No such file or directory
Comment 4 Jan Beich freebsd_committer 2020-07-28 14:38:19 UTC
(In reply to Jonas Palm from comment #3)
> If I install the most recent version of ca_root_nss the links target of
> /usr/local/etc/ssl/cert.pem changes to ../../usr/local/share/certs/ca-root-nss.crt

Likely caused by ports r542936 which landed after 3.54 but before 3.55 update. A fix maybe to convert ${LN} -sf ../../ to ${RLN}.
Comment 5 peter.larsen 2020-08-11 07:14:29 UTC
# ls -la /etc/local/ssl/cert.pem
ls: /etc/local/ssl/cert.pem: No such file or directory
# ls -la /usr/local/openssl/cert.pem
-rw-r--r--  1 root  wheel  785744 Aug 10 12:22 /usr/local/openssl/cert.pem


on a fresh build, so yes, file is missing on 3.55

I did not deep dive into why
Comment 6 Mikael Urankar freebsd_committer 2020-10-04 12:35:37 UTC
same problem here:

rm /usr/local/etc/ssl/*
make -C /usr/ports/security/ca_root_nss clean deinstall install
cat /usr/local/etc/ssl/cert.pem
##
##  ca-root-nss.crt -- Bundle 

With strange perm: 
-rwxr-xr-x /usr/local/etc/ssl/cert.pem

fetch https://github.com
Certificate verification failed for /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://github.com: Authentication error


Is it a problem with pkg and sample file (running pkg 1.15.8)?


Strangely the official binary package doesn't have the problem:
rm /usr/local/etc/ssl/*
pkg install -fy security/ca_root_nss
cat /usr/local/etc/ssl/cert.pem
snip, lots of stuff

with correct perm: -rw-r--r--

fetch https://github.com
fetch: https://github.com: size of remote file is not known
Comment 7 Mikael Urankar freebsd_committer 2020-10-04 13:21:44 UTC
Created attachment 218514 [details]
v1

Seems to be ok if the sample is not a symlink.
Comment 8 Mikael Urankar freebsd_committer 2020-10-04 13:31:41 UTC
(In reply to Mikael Urankar from comment #7)
The patch is not needed, it's caused by r550860 (Keywords/sample.ucl)

r550860 | manu | 2020-10-01 20:32:29 +0200 (Thu, 01 Oct 2020) | 8 lines

Lua version of the @sample

The bonus of this version being: sandboxed
Natively rootdir compliant.

Reviewed by:    portmgr (bapt@, mat@)
Differential Revision:  https://reviews.freebsd.org/D23617

cc'ing manu
Comment 9 commit-hook freebsd_committer 2020-10-04 14:16:09 UTC
A commit references this bug:

Author: manu
Date: Sun Oct  4 14:14:51 UTC 2020
New revision: 551416
URL: https://svnweb.freebsd.org/changeset/ports/551416

Log:
  ports-mgmt/pkg: Update to 1.15.9

  Changes from 1.15.8 to 1.15.9:
  - lua_pkg_copy when copying a symlink

  PR:		248314
  Approved by:	bapt (implicit)

Changes:
  head/ports-mgmt/pkg/Makefile
  head/ports-mgmt/pkg/distinfo
Comment 10 commit-hook freebsd_committer 2020-10-12 06:52:21 UTC
A commit references this bug:

Author: bapt
Date: Mon Oct 12 06:51:55 UTC 2020
New revision: 552099
URL: https://svnweb.freebsd.org/changeset/ports/552099

Log:
  MFH: r551167 r551211 r551416 r552059

  ports-mgmt/pkg: Update to 1.15.7

  Changes from 1.15.6 to 1.15.7:
   - Fix %# expand in script

  Approved by:	bapt (implicit)

  Update to 1.15.8

  Fixes a typo which results in pkg ignoring some lua script in some particular
  circumpstancies: shell script also available in certain types

  ports-mgmt/pkg: Update to 1.15.9

  Changes from 1.15.8 to 1.15.9:
  - lua_pkg_copy when copying a symlink

  PR:		248314
  Approved by:	bapt (implicit)

  ports-mgmt/pkg: Update to 1.15.10

  Add a workaround for https://bugs.freebsd.org/250271

  PR:		250059
  Approved by:	bapt (implicit)

Changes:
_U  branches/2020Q4/
  branches/2020Q4/ports-mgmt/pkg/Makefile
  branches/2020Q4/ports-mgmt/pkg/distinfo