certmonger

#298 Dedicated listening socket uses pid instead of uid for pre/post command
Opened by charlietx. Modified

Open
Close Issue

When using a unix socket (path or abstract) listener, the pre_certsave_uid/post_certsave_uid becomes the pid from the calling getcert request

Start a session:

docker run --rm -it --name certmonger-test ubuntu:25.04
apt-get -qqy update && apt-get -qqy --no-install-recommends install certmonger && certmonger -v
# certmonger 0.79.20
/usr/lib/certmonger/certmonger-session -L -P /tmp/certmonger.sock -n -B -d 12

Open a new shell & run these commands:

docker exec -it -e CERTMONGER_PVT_ADDRESS=unix:path=/tmp/certmonger.sock certmonger-test sh
getcert add-scep-ca -c example-ca.local -u http://example-ca.local/certsrv/mscep/mscep.dll
mkdir /root/example-ca.local
# send command to fg to get pid after
getcert request -I 1_example.com -c example-ca.local \
  -k /root/example-ca.local/pk.pem \
  -f /root/example-ca.local/cert.pem \
  -B /example.com.precertificate.sh \
  -C /example.com.postcertificate.sh &
echo $!
# 597
grep certsave_uid /root/.config/certmonger/requests/*
# pre_certsave_uid=597
# post_certsave_uid=597

The -B & -C args do not have any associated args to control the uid in which the hook should be executed under.
How can pre_certsave_uid/post_certsave_uid be controlled?

Furthermore, I cannot seem to get the post_certsave to execute when using a unix socket, is this functionality not supported?

Any chance you can launch certmonger with -D5 and share the journal once the getcert is complete? The output should contain debug information showing the uid/pid as it proceeds through the request.

There is no option to set the pre/post save uid value.

Any chance you can launch certmonger with -D5 and share the journal once the getcert is complete? The output should contain debug information showing the uid/pid as it proceeds through the request.

There is no option to set the pre/post save uid value.

I ran the example again and luckily got the same pid as the example again.

docker logs certmonger-test | grep 597

2025-09-30 20:23:45 [551] User ID 0 PID 597 called /org/fedorahosted/certmonger:org.fedorahosted.certmonger.get_known_cas.
2025-09-30 20:23:45 [551] User ID 0 PID 597 called /org/fedorahosted/certmonger/cas/CA1:org.fedorahosted.certmonger.ca.get_nickname.
2025-09-30 20:23:45 [551] User ID 0 PID 597 called /org/fedorahosted/certmonger/cas/CA2:org.fedorahosted.certmonger.ca.get_nickname.
2025-09-30 20:23:45 [551] User ID 0 PID 597 called /org/fedorahosted/certmonger/cas/CA3:org.fedorahosted.certmonger.ca.get_nickname.
2025-09-30 20:23:45 [551] User ID 0 PID 597 called /org/fedorahosted/certmonger/cas/CA4:org.fedorahosted.certmonger.ca.get_nickname.
2025-09-30 20:23:45 [551] User ID 0 PID 597 called /org/fedorahosted/certmonger/cas/CA5:org.fedorahosted.certmonger.ca.get_nickname.
2025-09-30 20:23:45 [551] User ID 0 PID 597 called /org/fedorahosted/certmonger:org.fedorahosted.certmonger.add_request.
2025-09-30 20:23:45 [551] User ID 0 PID 597 called /org/fedorahosted/certmonger/requests/Request1:org.fedorahosted.certmonger.request.get_nickname.

Additional logs of successful certificate issuance subsequently erroring due to using the nonexistent uid (pid):

2025-09-30 01:17:42 [1] Adding hook "/example.com.postcertificate.sh" (89).
2025-09-30 01:17:42 [1] Request1('1_example.com') moved to state 'POST_SAVED_CERT'
2025-09-30 01:17:42 [1] Wrote to /data/.certmonger/requests/20250930011741
2025-09-30 01:17:42 [1] Will revisit Request1('1_example.com') on traffic from 8.
2025-09-30 01:17:42 [151] Error on getpwuid(89): File exists, not running "/example.com.postcertificate.sh".
2025-09-30 01:17:42 [1] Request1('1_example.com') moved to state 'NEED_TO_NOTIFY_ISSUED_SAVED'
2025-09-30 01:17:42 [1] Wrote to /data/.certmonger/requests/20250930011741
2025-09-30 01:17:42 [1] Will revisit Request1('1_example.com') now.

2025-09-30 01:28:12 [1] Will revisit Request1('1_example.com') on traffic from 8.
2025-09-30 01:28:12 [148] Error opening "/proc/sys/crypto/fips_enabled": No such file or directory, assuming 0.
2025-09-30 01:28:12 [148] Not attempting to set NSS FIPS mode.
2025-09-30 01:28:12 [1] Adding hook "/example.com.postcertificate.sh" (88).
2025-09-30 01:28:12 [1] Request1('1_example.com') moved to state 'POST_SAVED_CERT'
2025-09-30 01:28:12 [149] Error on getpwuid(88): File exists, not running "/example.com.postcertificate.sh".
2025-09-30 01:28:12 [1] Wrote to /data/.certmonger/requests/20250930012811
2025-09-30 01:28:12 [1] Will revisit Request1('1_example.com') on traffic from 8.

2025-09-30 01:31:22 [1] Adding hook "/example.com.postcertificate.sh" (92).
2025-09-30 01:31:22 [1] Request1('1_example.com') moved to state 'POST_SAVED_CERT'
2025-09-30 01:31:22 [1] Wrote to /data/.certmonger/requests/20250930013121
2025-09-30 01:31:22 [1] Will revisit Request1('1_example.com') on traffic from 8.
2025-09-30 01:31:22 [155] Error on getpwuid(92): File exists, not running "/example.com.postcertificate.sh".
2025-09-30 01:31:22 [1] Request1('1_example.com') moved to state 'NEED_TO_NOTIFY_ISSUED_SAVED'
2025-09-30 01:31:22 [1] Wrote to /data/.certmonger/requests/20250930013121
2025-09-30 01:31:22 [1] Will revisit Request1('1_example.com') now.
Edited by charlietx

Curious. Do you know where the uids 88 and 92 came from? More pids?

It seems pretty clear that at some point certmonger is aware of both the uid and the pid and is likely flipping them at some point. I just haven't yet found where that is. Maybe it's subtle, or maybe it's just hard to spot with a code review. I'll keep at it.

Curious. Do you know where the uids 88 and 92 came from? More pids?

It seems pretty clear that at some point certmonger is aware of both the uid and the pid and is likely flipping them at some point. I just haven't yet found where that is. Maybe it's subtle, or maybe it's just hard to spot with a code review. I'll keep at it.

More pids, they are just lower than the example. The issue does not present itself at all when dbus is used, not sure why it only affects the unix socket listeners.

I can duplicate this outside of docker.

I can the value changing but haven't found either a workaround or where exactly the values are flipping. On the bright side I've narrowed down the scope considerably.

The reproducer is basically the same but I'll document it here for future sake.

# certmonger -L -P /tmp/certmonger.sock -n -B -d 4 > cm.log 2>&1 &
# CERTMONGER_PVT_ADDRESS=unix:path=/tmp/certmonger.sock getcert request \
 -I test -c local -f /etc/pki/tls/certs/test.pem -k /etc/pki/tls/private/test.key \
 -B /bin/ls -C /bin/echo
# grep _uid /var/lib/certmonger/requests/*

The final grep should return

pre_certsave_uid=0
post_certsave_uid=0

The issue isn't that values are getting swapped somewhere. It's that the client object sent to execute the dbus command doesn't have the uid/pid initialized. The UID/PID visible in the logging is another variable altogether. Setting client client uid/pid values prior to using it in the dbus call resolves the problem. This path is only followed on the "private" path (only a listening socket)

PR https://pagure.io/certmonger/pull-request/300

Would you have the ability and time to test this fix? It worked for me.
Metadata
None
None
None
None
None
Related Pull Requests
Static archive. pagure.io was sunset in 2026; this is a read-only snapshot.
Red Hat Logo

Fedora is sponsored by Red Hat. Learn more about the relationship between Red Hat and Fedora »

© Red Hat, Inc. and others.