2

After extensive searching I haven't found documentation of this problem yet. Suddenly, possibly following a software update(?), cURL fails to establish SSL connections with this error:

curl: (35) error:0200100D:system library:fopen:Permission denied

With strace, I found out that it's trying to open an SSL certificate which is denied:

open("/etc/ssl/certs/3c58f906.0", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied)

This certificate is a symlink which points to AddTrust_External_Root.pem which in turn is a symlink to /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt. The permissions are such that indeed my user isn't allowed to access it:

ls -l /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt 
-rw-r----- 1 root ssl-cert 1521 2011-09-01 18:48 /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt

There's probably a reason why this file isn't world-readable, but it's stopping cURL from functioning. Does anybody know the reason, and, more importantly, a safe and secure solution?

reinouts
  • 133
  • 1
  • 5

2 Answers2

2

There is no reason for this file not to be world readable. It's not anything unique to your system and is included in the default install: http://packages.ubuntu.com/lucid/all/ca-certificates/filelist

Generally I think anything under /usr/share/ may be world readable (since its under "share").

Now why this file is not world readable on your system is the real question. A bug probably.

Edmunds
  • 36
  • 1
0

Hmm. It's world readable on my Lucid installation:

$ ls -l /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt
-rw-r--r-- 1 root root 1521 2011-09-01 16:48 /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt

There appears to be something wrong with your installation, or a previous administrator changed the ownership/permissions for obscure reasons.

cjc
  • 24,916
  • 3
  • 51
  • 70