Bug 1448697

Summary: ipa-client-install doesn't set appropriate permissions on /etc/pki/ca-trust/source/ipa.p11-kit. Permissions are set based on umask.
Product: Red Hat Enterprise Linux 7 Reporter: Abhinay Reddy Peddireddy <apeddire>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED DUPLICATE QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: pvoborni, rcritten, slaznick, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-19 11:57:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Abhinay Reddy Peddireddy 2017-05-07 11:06:53 UTC 
Description of problem:

ipa-client-install doesn't set appropriate permissions on /etc/pki/ca-trust/source/ipa.p11-kit. It takes permissions based on umask.

We see the following error in logs : 

p11-kit: couldn't open and map file: /etc/pki/ca-trust/source/ipa.p11-kit: Permission denied
p11-kit: couldn't open and map file: /etc/pki/ca-trust/source/ipa.p11-kit: Permission denied
p11-kit: couldn't open and map file: /etc/pki/ca-trust/source/ipa.p11-kit: Permission denied


How reproducible:

1. Set the umask of root user to 0077. 

2. Install ipa-client on RHEL 7.3 server. 

3. Check the permissions on the file /etc/pki/catrust/source/ipa.p11-kit. 



Actual results:

Permissions on file /etc/pki/catrust/source/ipa.p11-kit are set as below : 

# ll /etc/pki/ca-trust/source/ipa.p11-kit 
-rw------- 1 root root 3601 May  7 17:39 /etc/pki/ca-trust/source/ipa.p11-kit



Expected results:

Permissions on file /etc/pki/catrust/source/ipa.p11-kit should be readable by others :

# ll /etc/pki/ca-trust/source/ipa.p11-kit 
-rw-r--r-- 1 root root 3601 May  7 18:54 /etc/pki/ca-trust/source/ipa.p11-kit




Additional info:

File permissions are not being set explicitly as part of the RPM. 

# rpm -qvl ipa-client-common
drwxr-xr-x    2 root    root                        0 Mar 14 14:13 /etc/ipa
-rw-r--r--    1 root    apache                      0 Mar 14 14:13 /etc/ipa/ca.crt
-rw-r--r--    1 root    apache                      0 Mar 14 14:13 /etc/ipa/default.conf
drwxr-xr-x    2 root    root                        0 Mar 14 14:13 /etc/ipa/nssdb
----------    1 root    root                        0 Mar 14 14:13 /etc/ipa/nssdb/cert8.db
----------    1 root    root                        0 Mar 14 14:13 /etc/ipa/nssdb/key3.db
----------    1 root    root                        0 Mar 14 14:13 /etc/ipa/nssdb/pwdfile.txt
----------    1 root    root                        0 Mar 14 14:13 /etc/ipa/nssdb/secmod.db
----------    1 root    root                        0 Mar 14 14:13 /etc/pki/ca-trust/source/ipa.p11-kit
Comment 2 Standa Laznicka 2017-05-15 15:57:25 UTC 
The permissions I believe are fine. The error in the logs resembles https://bugzilla.redhat.com/show_bug.cgi?id=1427897. The root cause there was that the system trust module was enabled, effectively bypassing IPA trust store.

To see if this could be the problem, the customer should try to issue
`modutil -dbdir /etc/httpd/alias -list "Root Certs" | grep "Status: Enabled"`
as root.

If they get some output, just run:
`modutil -dbdir /etc/httpd/alias/ -disable "Root Certs" -force`
as root and restart IPA with `ipactl restart`. This should solve the problem.
Comment 3 Petr Vobornik 2017-05-19 11:57:08 UTC 

*** This bug has been marked as a duplicate of bug 1427897 ***