Permission denied while openig a certificate

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Permission denied while openig a certificate

iferca (Bugzilla)
Hi all...

This is my last resource and I should say that I'm desperate... I've
to make a release and I don't know how to solve the following.
I'm working in a project using Linux Fedora Core 4 + MySQL + sendmail
+ our own services and daemons. This release include many security
enhancements. Using secure SSL connections with the service is one of
the most important.
I know this is not a MySQL  discussion list, but the guys in MySQL
list and Fedora list did not help me.
Ok, the facts...
I've created my own certificates, I've configure MySQL accordint to
the documentation, but... I'm watching a very estrange behaviour. If I
start MySQL from the /etc/rc.d/init.d/ folder I get a permission
denied reading the .pem files. But then if I copy the same script to a
different folder and run it from there, this error disappear, just
like that.
The .pem files are chmoded to 777 and owned as root.mysql.
I've even used strace triying to find a hidden previous error
condition but nothing new, the open system call fails returning
EACCESS.
I write to this list because the error is reported by the openssl
library, used by MySQL but maybe you have hear it before.
I'll appreciate any help, thanks in advance for your time

cheers

--
____________________
Israel Fdez. Cabrera
[hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Permission denied while openig a certificate

Joseph Oreste Bruni-2
The permissions you need on these files are "444" not "777", but that's not your problem.

I believe that mysql runs as a user other than root. On most systems a seperate "mysql" user account is created and the daemon switches to that account at startup.

The EACCESS error would mean that some directory along the full path does not have the x bit set in a way that is useful for the mysql user. Make sure that every directory from "/" on down to the file has the x bit set in the "other" position.

"ls" with the -ld options will be your friend in this case as you examine each and every directory along the path to the file.

On Oct 15, 2005, at 9:16 AM, Israel Fernández Cabrera wrote:

The .pem files are chmoded to 777 and owned as root.mysql.

I've even used strace triying to find a hidden previous error

condition but nothing new, the open system call fails returning

EACCESS.




smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Permission denied while openig a certificate

iferca (Bugzilla)
Thanks Joseph for your quick response, it is the first one since I'm
struggling with this issue.
I'd like the solution would be as simple, that is why I said before
this is an annoying issue.
All the folders in the path to the certificates file has x bit set,
just to be sure I've checked it again. I changed the owners of the
.pem files from root.mysql to mysql.mysql and fixing my permission
paranoia I chmod from 777 to 444 the certificates too.
Result: same problem

Any hint? I gave an eye to the openssl source code reported in the
mysqld.log file but I found nothing interesting...

thanks in advance

--
____________________
Israel Fdez. Cabrera
[hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Permission denied while openig a certificate

Joseph Oreste Bruni-2
The man page for open(2) gives these following reasons for EACCESS:

      [EACCES]           Search permission is denied for a component  
of the
                         path prefix.

      [EACCES]           The required permissions (for reading and/or  
writing)
                         are denied for the given flags.

      [EACCES]           O_CREAT is specified, the file does not  
exist, and the
                         directory in which it is to be created does  
not permit
                         writing.

Are you sure it's the certificate or key files that are causing open
(2) to fail?


On Oct 15, 2005, at 11:35 AM, Israel Fernández Cabrera wrote:

> Thanks Joseph for your quick response, it is the first one since I'm
> struggling with this issue.
> I'd like the solution would be as simple, that is why I said before
> this is an annoying issue.
> All the folders in the path to the certificates file has x bit set,
> just to be sure I've checked it again. I changed the owners of the
> .pem files from root.mysql to mysql.mysql and fixing my permission
> paranoia I chmod from 777 to 444 the certificates too.
> Result: same problem
>
> Any hint? I gave an eye to the openssl source code reported in the
> mysqld.log file but I found nothing interesting...
>
> thanks in advance
>
> --
> ____________________
> Israel Fdez. Cabrera
> [hidden email]
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>


smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Permission denied while openig a certificate

iferca (Bugzilla)
That is a good question but I "guess" it is.. please see the attached
files for more information.
They are...

lsoutput.txt: I made ls in all the path to the certificates files
mysqld.log: Mysqld log file, interesting because it contains the
specific error, openssl .c files, line numbers (that by the way does
not match with the actual file, because of comment I guess), and
more..
strace.txt: a fragment of the mysqld strace output with the failing open call...

I must thak you for the help and interest

best regards

Israel

--
____________________
Israel Fdez. Cabrera
[hidden email]

lsoutput.txt (1K) Download Attachment
mysqld.log (13K) Download Attachment
strace.txt (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Permission denied while openig a certificate

Joseph Oreste Bruni-2
This is very strange. You are getting the same error when trying to  
open /dev/urandom and /dev/random, as well as all other files  
mentioned in the log.

I'm now wondering if your mysql is performing a chroot() during  
startup? Other than that I have no explanation for what is happening.



On Oct 15, 2005, at 3:18 PM, Israel Fernández Cabrera wrote:

> That is a good question but I "guess" it is.. please see the attached
> files for more information.
> They are...
>
> lsoutput.txt: I made ls in all the path to the certificates files
> mysqld.log: Mysqld log file, interesting because it contains the
> specific error, openssl .c files, line numbers (that by the way does
> not match with the actual file, because of comment I guess), and
> more..
> strace.txt: a fragment of the mysqld strace output with the failing  
> open call...
>
> I must thak you for the help and interest
>
> best regards
>
> Israel
>
> --
> ____________________
> Israel Fdez. Cabrera
> [hidden email]
>
> <lsoutput.txt>
> <mysqld.log>
> <strace.txt>
>


smime.p7s (3K) Download Attachment