Bug 3567 – Due to denied permission received this ERROR: could not run build command: /usr/local/globus-4.0.0/sbin/gpt-build -force /home/globusadmin/.globus/simpleCA//globus_simple_ca_e950e695_setup-0.18.tar.gz

Bug 3567 - Due to denied permission received this ERROR: could not run build command: /usr/local/globus-4.0.0/sbin/gpt-build -force /home/globusadmin/.globus/simpleCA//globus_simple_ca_e950e695_setup-0.18.tar.gz

Summary:

Due to denied permission received this ERROR: could not run build command: /...

Status:	RESOLVED FIXED

Product:	Simple CA
Component:	Simple CA
Version:	unspecified
Platform:	PC Linux

Importance:	P3 major
Target Milestone:	---
Assigned To:	Raj Kettimuthu

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2005-07-14 16:51 by ssones@gmail.com
Modified:	2008-08-11 15:51 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From ssones@gmail.com 2005-07-14 16:51:48

This problem has been reproduced on another machine that has the exact same
hardware (different machine but same brand and model no) with the same OS
(Fedora Core 2) installed by the same person (me).  I'm also the person who
installed the OS as well on both machines (maybe I'm the problem :)  I've also
done a search through previous bugs and posted this problem on the discuss list
as well.

The problem occurs when running the setup script for configuring the CA
(setup-simple-ca).  The script is run by a globus user.  This particular globus
user handles the Globus "administrative tasks" but does NOT have root
privilages.  This globus user owns the $GLOBUS_LOCATION directory which has the
following permissions:  drwxr-xr-x  When I run "echo $GLOBUS_LOCATION" it
displays the correct destination string.

I'm getting the impression that the script needs to be run by root as evidenced
by the following error msgs (which are repeated below in the original screen shot):

/bin/sed: can't read
/tmp//globusadmin_tmp_ca_setup//pkgdata/pkg_data_src.gpt.tmpl: No such file or
directory

AND

/usr/local/globus-4.0.0/setup/globus/setup-simple-ca: line 678: cd: /root:
Permission denied

The /tmp directory is (of course) owned by root with the following permissions:
drwxrwxrwt  I am under the impression that the simpleCA script should be ran as
the globus user with "administrative duties" such as starting and stopping
containers, etc. In the screen shot below, I've replaced certain text with
XXXXXXXXs.  Listed below is the complete screen "printout":

    C e r t i f i c a t e    A u t h o r i t y    S e t u p
 
This script will setup a Certificate Authority for signing Globus
users certificates.  It will also generate a simple CA package
that can be distributed to the users of the CA.
 
The CA information about the certificates it distributes will
be kept in:
 
/home/globusadmin/.globus/simpleCA/
/usr/local/globus-4.0.0/setup/globus/setup-simple-ca: line 250: test: res:
integer expression expected
 
The unique subject name for this CA is:
 
cn=Globus Simple CA, ou=simpleCA-localhost.localdomain, ou=GlobusTest, o=Grid
 
Do you want to keep this as the CA subject (y/n) [y]:n
 
Enter a unique subject name for this CA:simpleCA-XXXXXX
 
 
Enter the email of the CA (this is the email where certificate
requests will be sent to be signed by the CA):ssones@hotmail.com
 
The CA certificate has an expiration date. Keep in mind that
once the CA certificate has expired, all the certificates
signed by that CA become invalid.  A CA should regenerate
the CA certificate and start re-issuing ca-setup packages
before the actual CA certificate expires.  This can be done
by re-running this setup script.  Enter the number of DAYS
the CA certificate should last before it expires.
[default: 5 years (1825 days)]:
 
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

/bin/sed: can't read
/tmp//globusadmin_tmp_ca_setup//pkgdata/pkg_data_src.gpt.tmpl: No such file or
directory
                                                                               
                                             
creating CA config package...done.
                                                                               
                                             
                                                                               
                                             
A self-signed certificate has been generated
for the Certificate Authority with the subject:
                                                                               
                                             
/CN=simpleCA-XXXXXX
                                                                               
                                             
If this is invalid, rerun this script
                                                                               
                                             
/usr/local/globus-4.0.0/setup/globus/setup-simple-ca
                                                                               
                                             
and enter the appropriate fields.
                                                                               
                                             
-------------------------------------------------------------------
                                                                               
                                             
The private key of the CA is stored in
/home/globusadmin/.globus/simpleCA//private/cakey.pem
The public CA certificate is stored in
/home/globusadmin/.globus/simpleCA//cacert.pem
                                                                               
                                             
The distribution package built for this CA is stored in
                                                                               
                                             
/home/globusadmin/.globus/simpleCA//globus_simple_ca_XXXXXXXX_setup-0.18.tar.gz
 
This file must be distributed to any host wishing to request
certificates from this CA.
 
CA setup complete.
 
The following commands will now be run to setup the security
configuration files for this CA:
 
$GLOBUS_LOCATION/sbin/gpt-build
/home/globusadmin/.globus/simpleCA//globus_simple_ca_XXXXXXXX_setup-0.18.tar.gz
 
$GLOBUS_LOCATION/sbin/gpt-postinstall
-------------------------------------------------------------------
 
 
/usr/local/globus-4.0.0/setup/globus/setup-simple-ca: line 678: cd: /root:
Permission denied
/usr/local/globus-4.0.0/setup/globus/setup-simple-ca: line 693: build.log: No
such file or directory
ERROR:  could not run build command: /usr/local/globus-4.0.0/sbin/gpt-build
-force
/home/globusadmin/.globus/simpleCA//globus_simple_ca_XXXXXXXX_setup-0.18.tar.gz

------- Comment #1 From Mats Rynge 2005-11-02 16:04:17 -------

The problem of pkg_data_src.gpt.tmpl has been fixed in globus_4_0_branch and
head. I think the other problem you saw was as a result, so I'm closing this bug
as fixed.

------- Comment #2 From Gerard Gleeson 2006-07-18 12:21:19 -------

I seem to be receiving the same error as this except i am using globus 4.0.2 .
Is there a work around for this. 

C e r t i f i c a t e    A u t h o r i t y    S e t u p

This script will setup a Certificate Authority for signing Globus
users certificates.  It will also generate a simple CA package
that can be distributed to the users of the CA.

The CA information about the certificates it distributes will
be kept in:

/home/globus/.globus/simpleCA/

The unique subject name for this CA is:

cn=Globus Simple CA, ou=simpleCA-gerryg.computing.dcu.ie, ou=GlobusTest, o=Grid

Do you want to keep this as the CA subject (y/n) [y]:y

Enter the email of the CA (this is the email where certificate
requests will be sent to be signed by the CA):ger.gleeson@gmail.com

The CA certificate has an expiration date. Keep in mind that
once the CA certificate has expired, all the certificates
signed by that CA become invalid.  A CA should regenerate
the CA certificate and start re-issuing ca-setup packages
before the actual CA certificate expires.  This can be done
by re-running this setup script.  Enter the number of DAYS
the CA certificate should last before it expires.
[default: 5 years (1825 days)]:

Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

creating CA config package...done.


A self-signed certificate has been generated
for the Certificate Authority with the subject:

/O=Grid/OU=GlobusTest/OU=simpleCA-gerryg.computing.dcu.ie/CN=Globus Simple CA

If this is invalid, rerun this script

/usr/local/globus/setup/globus/setup-simple-ca

and enter the appropriate fields.

-------------------------------------------------------------------

The private key of the CA is stored in
/home/globus/.globus/simpleCA//private/ca
key.pem
The public CA certificate is stored in
/home/globus/.globus/simpleCA//cacert.pem

The distribution package built for this CA is stored in

/home/globus/.globus/simpleCA//globus_simple_ca_XXXXXXX_setup-0.19.tar.gz

This file must be distributed to any host wishing to request
certificates from this CA.

CA setup complete.

The following commands will now be run to setup the security
configuration files for this CA:

$GLOBUS_LOCATION/sbin/gpt-build
/home/globus/.globus/simpleCA//globus_simple_ca_                               
                                           XXXXXXX_setup-0.19.tar.gz

$GLOBUS_LOCATION/sbin/gpt-postinstall
-------------------------------------------------------------------


ERROR:  could not run build command: /usr/local/globus/sbin/gpt-build -force
/ho                                                                          
me/globus/.globus/simpleCA//globus_simple_ca_XXXXXXX_setup-0.19.tar.gz