Jailshell access to /etc/pki/ files for certificate verification

[neilb2]

Hi all,

Are jailshell users supposed to have access to these files?

• /etc/pki/tls/certs/ca-bundle.crt which is a symlink to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
• /etc/pki/tls/certs/ca-bundle.trust.crt which is a symlink to /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

Jailshell users currently get certificate verification errors when accessing SSL websites, such as

curl: (77) Problem with the SSL CA cert (path? access rights?)

which seems to be because they don't have access to these files (the actual files, not the symlinks). Indeed the actual files have 444 permissions and are owned by root.

There was a cPanel internal case 80653 which was for allowing jailshell users access to these certificate verification files, but the case only refers to the filenames in /etc/pki/tls/certs/ which are now symlinks, not the newer filenames. I'm wondering whether this position was reversed, perhaps because it subsequently became a security risk for these files to be accessible by jailshell users...?

This lack of access is present on all servers I run (CentOS 6 and 7) so I'm thinking that there was a change at some point, but I can't find it.

So, is it safe for jailshell users to have access to these files, and if so what's the official (or otherwise best) way to achieve this, so that users can for example use curl without issues (and without using -k to supress the errors)?

Thanks
neilb2

 

[cPanelMichael]

Hello

Are you using Cloud Linux with CageFS enabled? If so, please see this thread:

curl can't find ca-bundle on centos7

Thank you.

 

[neilb2]

Hello

Are you using Cloud Linux with CageFS enabled?

Thank you.

Hi cPanelMichael,

Thanks for your response.

No, I'm not using Cloud Linux but that thread did remind me to mention that this is with noshell also (cron jobs etc). Full shell is fine though, but most of the accounts in my situation are jail or noshell, for example running cron jobs or manually run commands that run CMS maintenance scripts on SSL-only sites (and I would rather fix the issue than have curl ignore the certificate errors).

It seems as though CentOS 7 has a different file structure for these files, with the original files now being symlinks, and the cPanel permission settings aren't taking account of it for jailshell and noshell users.

It looks from your reply that this is supposed to work (as you didn't just say "no, the lack of access is intended behaviour") so I'm hoping that a full-on fix can be found.

So any further help is welcome, thank you

 

[cPanelMichael]

Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.