fix(tls): ensure jailed processes trust httpjail CA under sudo (prefer SUDO_USER path; copy cert if needed)#50
Closed
blink-so[bot] wants to merge 3 commits intomainfrom
Closed
fix(tls): ensure jailed processes trust httpjail CA under sudo (prefer SUDO_USER path; copy cert if needed)#50blink-so[bot] wants to merge 3 commits intomainfrom
blink-so[bot] wants to merge 3 commits intomainfrom
Conversation
…ferring SUDO_USER path and copying cert if needed\n\n- Prefer SUDO_USER's config path for CA when running under sudo\n- Correct SUDO_USER path computation on Linux/macOS\n- If only /root CA exists, copy it to the invoking user's config so non-root process can read it\n- Keep existing env var injection (SSL_CERT_FILE, SSL_CERT_DIR, etc.)\n\nThis fixes TLS failures like: Post https://api.github.com/graphql: tls: failed to verify certificate: x509: certificate signed by unknown authority, when running gh inside httpjail as a dropped-priv user.\n\nCo-authored-by: ammario <7416144+ammario@users.noreply.github.com>
Member
|
Not sure this fixes it. I ran into this error on macOS with the weak jail without sudo. |
…(/zen) in weak mode on non-macOS\n\nSkips if gh is not installed. Validates we don’t hit x509 unknown authority and that the command succeeds.\n\nCo-authored-by: ammario <7416144+ammario@users.noreply.github.com>
…n\nCo-authored-by: ammario <7416144+ammario@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary\n- Prefer SUDO_USER's config path for CA when httpjail is invoked via sudo and the jailed command runs as the invoking user\n- Correct SUDO_USER CA path computation (Linux: /home//.config/httpjail/ca-cert.pem; macOS: /Users//Library/Application Support/httpjail/ca-cert.pem)\n- If only /root CA exists, copy it to the invoking user's config so the non-root process can read it\n- Keep existing env var injection (SSL_CERT_FILE, SSL_CERT_DIR, CURL_CA_BUNDLE, GIT_SSL_CAINFO, REQUESTS_CA_BUNDLE, NODE_EXTRA_CA_CERTS)\n\nAdditional tests\n- Adds tests/weak_gh_integration.rs: verifies
gh api /zensucceeds in weak mode on non-macOS and does not hit x509 unknown authority (skips if gh not installed)\n\nWhy\nWhen running under sudo on Linux, the CA is generated under /root/.config/httpjail by default. httpjail then drops privileges (setpriv) to the invoking user before executing the target process. The target process cannot traverse /root, so SSL_CERT_FILE=/root/.config/httpjail/ca-cert.pem is unreadable. Go-based tools like gh then fail TLS verification against the intercepted cert with:\n\nPost https://api.github.com/graphql: tls: failed to verify certificate: x509: certificate signed by unknown authority\n\nmacOS note\nGo on macOS uses the platform verifier (Security.framework), which ignores SSL_CERT_FILE/SSL_CERT_DIR; weak mode interception will still fail for Go clients there. A follow-up change will add a pass-through CONNECT mode on macOS (no TLS MITM) so host-level allow/deny still works without modifying system trust.\n\nManual validation\n- sudo httpjail --js "true" -- gh auth status\n- sudo httpjail --js "true" -- gh pr status\n- sudo httpjail --js "true" -- gh pr create --title test --body test (reaches GraphQL successfully)\n\nIf the CA only exists under /root, the first run will copy it to the invoking user's config and subsequent runs use that path.