Re: [OpenXPKI-users] File permissions after publish

[Martin Bartosch via OpenXPKI-users]

Hi,

> Well /var/www/download is owned by openxpki group www-data, and has chmod of 
> 755; The files produced by OpenXPKI publish are owned by openxpki group 
> openxpki with chmod 660.
> I could run a cronjob or probably use the sticky bit but i'd rather have a 
> chmod of 664 or group www-data; I think that should be set by openxpki while 
> publishing the files
> 
> Am Do., 31. Okt. 2024 um 09:09 Uhr schrieb Andreas Piesk via OpenXPKI-users 
> <openxpki-users@lists.sourceforge.net>:
> Am 31.10.24 um 08:29 schrieb Stefan Thomanek:
> > 
> > is there any way to have openxpki set file permissions while publishing the 
> > CRL?
> > Right now, the crt, cer and crl are created with openxpki:openxpki in 
> > /var/www/download and as such, I'm getting a 403 from apache.
> >

OpenXPKI runs as the user defined in system.server.user and 
system.server.group, by default both is set to "openxpki" in the CE 
configuration. 

The OpenXPKI server process implicitly uses the umask that is set by the 
operating system environment (e. g. RedHat RHEL is know to set the umask very 
restrictive). 
Unless explicitly overridden, files created by OpenXPKI are created with this 
umask applied. In your case this explains the observed behavior. 
One way is to change the umask accordingly when starting the OpenXPKI process, 
e. g. in the systemd unit file.

A better way is to specify the desired file mode. The CE default configuration 
defines the CDP publishing endpoint as follows:

crl:
    crl@: connector:publishing.connectors.cdp

    cdp:
        class: Connector::Builtin::File::Path
        LOCATION: /var/www/download/
        file: "[% ARGS.0.replace('[^\\w-]','_') %].crl"
        content: "[% der %]"

If you look up the documentation of the Connector::Builtin::File::Path 
connector you will find that it is possible to explicitly define the mode the 
file should be written.

See https://metacpan.org/pod/Connector::Builtin::File::Path

Hence

    cdp:
        class: Connector::Builtin::File::Path
        LOCATION: /var/www/download/
        file: "[% ARGS.0.replace('[^\\w-]','_') %].crl"
        mode: "0644"
        content: "[% der %]"

should achieve the desired result. Note that sometimes the very first time the 
file is created with incorrect permissions. The second time publication is 
performed via the cdp connector, the permissions should match the configuration.

Cheers

Martin




_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users