Bug 1113395

Summary: yum verify-all reports problems with permissions but the Current and Original modes are the same.
Product: Red Hat Enterprise Linux 7 Reporter: Karel Srot <ksrot>
Component: yumAssignee: Valentina Mukhamedzhanova <vmukhame>
Status: CLOSED ERRATA QA Contact: Karel Srot <ksrot>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.0CC: james.antill, vmukhame
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: yum-3.4.3-119.el7 Doc Type: Bug Fix
Doc Text:
Cause: run 'yum verify' Consequence: yum reports changes to file permissions, when there aren't any changes Fix: patch Result: the report is correct
 Story Points: ---
Clone Of: 1045415 Environment:
Last Closed: 2015-03-05 09:04:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Karel Srot 2014-06-26 06:00:51 UTC 
Should be fixed in 7.1 too. 

yum-3.4.3-118.el7.noarch

==================== Installed Packages ====================
bz1045415pkg.noarch : bz1045415pkg Package
    File: /var/log/bz1045415.log
    Tags: ghost
        Problem:  mode does not match
        Current:  user:wr-, group:-r-, other:-r-
        Original: user:wr-, group:-r-, other:-r-
verify-all done



+++ This bug was initially created as a clone of Bug #1045415 +++

Description of problem:
On a fully patched RHEL 6.5 machine, we can see that a yum verify-all reports problems with permissions but the Current and Original modes are the same.
- It should be noted that this problem exists for earlier versions of RHEL 6 as well as RHEL 5.
- It should also be noted that when comparing a file that was wrongly reported as being different by yum verify-all, yum verify --verify-filenames=<filename> does not report a problem.  This gives you the impression that the function is working, but, based on there first results in this case comment, it can be assumed that the --verify-filenames option never gives a result.
- yum verify --verify-configuration-files=yes appears to report valid results.  The man entry for this option is somewhat misleading, however.  It is written this way:

    --verify-configuration-files=VERIFY_CONFIGURATION_FILES
                        Verify files tagged as configuration files

The --verify-configuration-files option appears to take a Boolean as a parameter, however.  I was surprised to see the results when setting the flag to 'no', as seen below:

[root@test ~]# yum verify --verify-configuration-files=no
Loaded plugins: changelog, downloadonly, product-id, rhnplugin, security, verify
This system is receiving updates from RHN Classic or RHN Satellite.
==================== Installed Packages ====================
libtool-ltdl.x86_64 : Runtime libraries for GNU Libtool Dynamic Module Loader
    File: /usr/lib64/libltdl.so.7.2.1
        Problem:  checksum does not match
        Current:  sha256:387e01927e3ad20def3b1df196d6815ebad7ddd8728dcc7b45ccf59acff8f778
        Original: sha256:45be6f82cd2f3f8118fc27a3c6105c89e543a745f96777ac03327be61f0bce64
                                   --------                                   
        Problem:  size does not match
        Current:   38 k
        Original:  36 k

libunistring.x86_64 : GNU Unicode string library
    File: /usr/lib64/libunistring.so.0.1.2
        Problem:  checksum does not match
        Current:  sha256:d5bb6021ee98db773c811dbdd70523b133f1f91db8ef08dd47e7eab06ec49256
        Original: sha256:e615c4f068f5538478e1de9cb81c366e1acd761991b77ee5ab9174e5dc6bcc83
                                   --------                                   
        Problem:  size does not match
        Current:       1144424 B
        Original:      1142048 B
verify done

- I was also surprised that setting this value to the path of a configuration file yieled the same result as shown above.

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
#yum install yum-plugin-verify
#yum verify-all
# yum verify --verify-filenames=/etc/sysconfig/system-config-firewall
# yum verify --verify-configuration-files=yes
# yum verify --verify-configuration-files=no
# yum verify --verify-configuration-files=/etc/sysctl.conf


Actual results:
I was able to reproduce the this issue. But it did not worked for some commands mentioned below.
# yum verify --verify-configuration-files=yes
# yum verify --verify-configuration-files=no
# yum verify --verify-configuration-files=/etc/sysctl.conf


Expected results:
# yum verify-all 

 File: /var/cache/PackageKit/groups.sqlite
    Tags: ghost
        Problem:  mode does not match            
        Current:  user:wr-, group:-r-, other:-r-  
        Original: user:wr-, group:-r-, other:-r-

-> Current and original mode should differ according to Problem.

Additional info:

--- Additional comment from Valentina Mukhamedzhanova on 2014-03-28 06:07:36 EDT ---

1. Fixed the mode problem in upstream - http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=bb6908d630966d9e385659516c2759c47c0e2ee7, acking.

2. --verify-configuration-files indeed takes a boolean, it actually accepts values 1/0, yes/no, on/off and true/false.

If you run something like 
'yum verify --verify-configuration-files=/etc/sysctl.conf' 
you will get a warning 
'Ignoring bad value "/etc/sysctl.conf" for the option --verify-configuration-files'.

Still, I agree that the help string might be confusing, so I made it a little bit clearer in upstream - http://yum.baseurl.org/gitweb?p=yum-utils.git;a=commitdiff;h=96b3b8824a3095ffaacdd754720003c090981480, please file a bugzilla against yum-utils if you want it to be backported to RHEL6.6.

3. 'yum verify --verify-filenames=<filename>' does not report a problem which 'yum verify-all' does, not because of the '--verify-filenames' option, but because of using 'verify' instead of 'verify-all'.

--- Additional comment from Karel Srot on 2014-04-01 08:59:41 EDT ---

@QE: reproducer
run against some package with ghost files, e.g. prelink

# yum verify-all prelink
prelink.x86_64 : An ELF prelinking utility
    File: /var/lib/prelink/force
    Tags: ghost, configuration, missing ok
        Problem:  file is missing
    File: /var/lib/prelink/full
    Tags: ghost, configuration, missing ok
        Problem:  mode does not match
        Current:  user:wr-, group:-r-, other:-r-
        Original: user:wr-, group:-r-, other:-r-
    File: /var/lib/prelink/quick
    Tags: ghost, configuration, missing ok
        Problem:  mode does not match
        Current:  user:wr-, group:-r-, other:-r-
        Original: user:wr-, group:-r-, other:-r-
    File: /var/log/prelink/prelink.log
    Tags: ghost, configuration, missing ok
        Problem:  mode does not match
        Current:  user:wr-, group:-r-, other:-r-
        Original: user:wr-, group:-r-, other:-r-
verify-all done
Comment 1 Valentina Mukhamedzhanova 2014-08-14 12:09:43 UTC 
Patch to apply http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=bb6908d630966d9e385659516c2759c47c0e2ee7
Comment 6 errata-xmlrpc 2015-03-05 09:04:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0398.html