Bug 1462841
| Summary: | Satellite Packaging should properly set user/group ownership and permissions prior to satellite-installer | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Craig Donnelly <cdonnell> |
| Component: | Packaging | Assignee: | satellite6-bugs <satellite6-bugs> |
| Status: | CLOSED WONTFIX | QA Contact: | Lukas Pramuk <lpramuk> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.3.0 | CC: | ehelms, jcallaha |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-02-28 19:35:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The Satellite Team is attempting to provide an accurate backlog of bugzilla requests which we feel will be resolved in the next few releases. We do not believe this bugzilla will meet that criteria, and have plans to close it out in 1 month. This is not a reflection on the validity of the request, but a reflection of the many priorities for the product. If you have any concerns about this, feel free to contact Red Hat Technical Support or your account team. If we do not hear from you, we will close this bug out. Thank you. Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact Red Hat Technical Support. Thank you. |
Description of problem: Currently, Installing Satellite packages results in a baseline inclusion of content necessary to get into the stage of being able to run 'satellite-installer' which will then finish the job. Some of the actions 'satellite-installer' does is to ensure that user/group ownership and permissions are set correctly for files in order for Satellite to be able to operate properly across multiple components. Due to the order of operations this is performed in, this results in failure of C2S security audits. The reason for this is simple: The 'satellite-installer' run will make modifications to some files (config/otherwise) once it is run, which do not actually get properly setup from installation via their RPMs. This results in a failed `rpm -Va | grep '^.M'` check for modified file permissions after installation: # rpm -Va | grep '^.M' SM5...GT. c /etc/foreman/database.yml SM5...GT. c /etc/foreman/settings.yaml .M...UG.. /etc/pulp/vhosts80/puppet.conf SM5...GT. c /etc/foreman-proxy/settings.d/pulp.yml SM5...GT. c /etc/foreman-proxy/settings.d/pulpnode.yml SM5...GT. c /etc/foreman-proxy/settings.d/bmc.yml SM5...GT. c /etc/foreman-proxy/settings.d/dhcp.yml SM5...GT. c /etc/foreman-proxy/settings.d/dhcp_isc.yml SM5...GT. c /etc/foreman-proxy/settings.d/dns.yml SM5...GT. c /etc/foreman-proxy/settings.d/dns_nsupdate.yml SM5...GT. c /etc/foreman-proxy/settings.d/dns_nsupdate_gss.yml SM5...GT. c /etc/foreman-proxy/settings.d/logs.yml SM5...GT. c /etc/foreman-proxy/settings.d/puppet.yml SM5...GT. c /etc/foreman-proxy/settings.d/puppetca.yml SM5...GT. c /etc/foreman-proxy/settings.d/realm.yml SM5...GT. c /etc/foreman-proxy/settings.d/templates.yml SM5...GT. c /etc/foreman-proxy/settings.d/tftp.yml SM5...GT. c /etc/foreman-proxy/settings.yml .M....... /var/run/foreman-proxy SM5...GT. c /etc/foreman-proxy/settings.d/openscap.yml SM5...GT. c /etc/foreman-proxy/settings.d/remote_execution_ssh.yml .M....G.. /var/lib/mongodb .M....... /var/run/mongodb SM5....T. c /etc/httpd/conf.d/pulp.conf SM5....T. c /etc/httpd/conf.d/pulp_content.conf SM5..U.T. c /etc/pulp/server.conf SM5...GT. c /etc/foreman-proxy/settings.d/dynflow.yml .M...UG.. /etc/pulp/vhosts80/rpm.conf Any of the above items that are indicated with a U or G have had user/group ownership modifications after install. (Being a config files does not exempt them from this security practice) Some of the files above are not listed as config files but have had user/group permissions change as well as the file content. If they are being tracked as installed files by RPM, they should likely be marked as a configuration file if they are to be modified by the 'satellite-installer'. The directories should be created with the correct user/group ownership from RPM installation if they are not going to be created by the binaries themselves. Version-Release number of selected component (if applicable): All Releases. How reproducible: 100% Steps to Reproduce: 1. yum install satellite 2. satellite-installer --scenario satellite 3. rpm -Va | grep '^.M' For Reference of meaning: S file Size differs M Mode differs (includes permissions and file type) 5 digest (formerly MD5 sum) differs D Device major/minor number mismatch L readLink(2) path mismatch U User ownership differs G Group ownership differs T mTime differs P caPabilities differ Actual results: User and group ownership or permissions are modified after RPM install. Expected results: User and group ownership / permissions should be set on file install from RPM. Additional info: This is an important request for secure customers and should also be a priority included with the plans for any other form of security compliance, such as FIPS.