Bug 1026260

Summary: Remove minor issues in ipa.spec
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED CURRENTRELEASE QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: dpal, mkosek, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.3.3-6.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 10:43:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 884499    

Description Martin Kosek 2013-11-04 09:47:07 UTC 
Description of problem:
ipa.spec analysis uncovered several issues that we should either mark as false positives or fix:

1) % sign not properly escaped in a changelog:
   spec: - Add (noreplace) flag for \%{_sysconfdir}/tmpfiles.d/ipa.conf
   rpm : - Add (noreplace) flag for \/etc/tmpfiles.d/ipa.conf

We should replace "\%" with "%%"

2) /usr/libexec/ipa-otpd: daemon file compiled with only partial RELRO (should be full)

3) Unowned mid-level directory: /usr/share/ipa/ui/js

4) Missing man pages for %config files:
- /etc/ipa/html/browserconfig.html
- /etc/ipa/html/ffconfig.js
- /etc/ipa/html/ffconfig_page.js
- /etc/ipa/html/ipa_error.css
- /etc/ipa/html/ssbrowser.html
- /etc/ipa/html/unauthorized.html
- /etc/sysconfig/ipa_memcached
- /etc/tmpfiles.d/ipa.conf

We should either mark as false positive or remove %config (or write the man page)
Comment 1 Martin Kosek 2013-11-04 09:49:23 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4010
Comment 3 Alexander Bokovoy 2013-11-04 10:18:14 UTC 
1) is correct finding, needs a fix.

2) needs a fix but I'd prefer it to be a separate ticket since it is independent of the others.

3) needs fixing.

4) We use %config to allow generated files to persist over consequent upgrades of the packages. These are not really configs but rather something that is generated with ipa-server-install or could be slightly tuned by admins with their own graphical design. RPM doesn't have better means to express these needs so I think we should makr them as false positive.
Comment 4 Martin Kosek 2013-11-04 10:55:04 UTC 
Thanks for assessment. I think we should fix all these issues together as they come from the same source. Separate ticket is a possibility though it seems as too much bureaucracy in this case - we just need to add a relro flag (AFAIU).
Comment 5 Martin Kosek 2013-12-02 11:40:28 UTC 
Fixed upstream:

master:
db3e4507329a02e5eba85f8f3eb29361eabf5d57 Own /usr/share/ipa/ui/js/ in the spec file.
652c4e6ace7c4eae6ffb12093487c2d8180806f5 Use hardening flags for ipa-optd.

ipa-3-3:
ca4e976318a2bf4fb152df8b97c3c4fc9798475c Own /usr/share/ipa/ui/js/ in the spec file.
73ada2baad2db3143285a254f638a091eb2001c8 Use hardening flags for ipa-optd.
Comment 7 Namita Soman 2014-01-28 19:01:10 UTC 
What can i check to be able to verify these changes?
Comment 8 Rob Crittenden 2014-01-28 20:03:25 UTC 
To check for the directory, install ipa-server then run:

$ rpm -q --whatprovides /usr/share/ipa/ui/js

It should be owned by ipa-server.

To check for a hardened build:

# yum install hardening-check
# hardening-check /usr/libexec/ipa-otpd 

The Read-only relocations and Immediate binding should be yes.

/usr/libexec/ipa-otpd:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes
Comment 9 Rob Crittenden 2014-01-28 20:20:11 UTC 
Or if hardening-check isn't available (and it looks like it isn't) check with:

$ objdump -x /usr/libexec/ipa-otpd | grep RELRO
   RELRO off    0x0000000000005a50 vaddr 0x0000000000205a50 paddr 0x0000000000205a50 align 2**0

$ readelf -d /usr/libexec/ipa-otpd | grep BIND
 0x0000000000000018 (BIND_NOW)           

The fix here was for immediate binding (the readelf command). If you get no output for either of these then the build is not hardened.
Comment 10 Namita Soman 2014-01-28 20:26:46 UTC 
Verified using steps above:
   
owned by ipa-server:  
# rpm -q --whatprovides /usr/share/ipa/ui/js
ipa-server-3.3.3-15.el7.x86_64

build is hardened:
# objdump -x /usr/libexec/ipa-otpd | grep RELRO
   RELRO off    0x0000000000005ac8 vaddr 0x0000000000205ac8 paddr 0x0000000000205ac8 align 2**0

# readelf -d /usr/libexec/ipa-otpd | grep BIND
 0x0000000000000018 (BIND_NOW)
Comment 11 Martin Kosek 2014-01-29 08:02:44 UTC 
I saw that RHEL7 hardening-check is being built in koji:

# rpm -q ipa-server
ipa-server-3.3.3-14.el7.x86_64
# yum install http://kojipkgs.fedoraproject.org//packages/hardening-check/2.4/1.el7/noarch/hardening-check-2.4-1.el7.noarch.rpm
...
Installed:
  hardening-check.noarch 0:2.4-1.el7                                                                    

Complete!
# hardening-check /usr/libexec/ipa-otpd 
/usr/libexec/ipa-otpd:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: yes
Comment 12 Ludek Smid 2014-06-13 10:43:56 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.