Bug 1545372

How is this a systemd problem?

I think that there was no change in systemd that caused it. Same privileges are on rhel-7.4 as well. But the behaviour of rpm -V is different

Yes, in both 7.4 and 7.5 the real /etc/machine-id permissions are 444 and rpm database says 644. Systemd did not change between 7.4 and 7.5, rpm -V changed. I would still say it is a problem with systemd, simply because those files are owned by systemd.rpm. Or, at least I would expect systemd maintainers to know if this is intended and help reassign the report to the proper place. Pretty please, give me a hint if you know. Systemd-machine-id-setup, which is... still systemd? Anaconda?

It is quite invasive since every artifact based on rhel-7.5 which goes through a few basic checks must have these checks fixed.

I filed a bug about this against rpm (see closed bug #1583796), and the rpm maintainer Panu Matilainen said "please file bugs on the affected packages,
those %ghost permissions should be updated to match reality."

So please fix the systemd rpm spec file to set the correct permissions:

sh-4.2# rpm --verify -q systemd
.M.......  c /etc/machine-id
.M.......  g /etc/udev/hwdb.bin
.M.......  g /var/lib/systemd/random-seed
.M....G..  g /var/log/journal
sh-4.2# rpm -qlv systemd | egrep '/etc/machine-id|/etc/udev/hwdb.bin|/var/lib/systemd/random-seed|/var/log/journal'
-rw-r--r--    1 root    root                        0 Apr 11 03:36 /etc/machine-id
-rw-r--r--    1 root    root                        0 Apr 11 03:36 /etc/udev/hwdb.bin
-rw-r--r--    1 root    root                        0 Apr 11 03:36 /var/lib/systemd/random-seed
drwxr-xr-x    2 root    root                        0 Apr 11 03:36 /var/log/journal
sh-4.2# ls -ld /etc/machine-id /etc/udev/hwdb.bin /var/lib/systemd/random-seed /var/log/journal
-r--r--r--. 1 root root                 33 Feb 24 10:55 /etc/machine-id
-r--r--r--  1 root root            7780559 May 19 17:37 /etc/udev/hwdb.bin
-rw-------. 1 root root               1024 May 28 10:35 /var/lib/systemd/random-seed
drwxr-sr-x+ 3 root systemd-journal      60 Apr  4 13:00 /var/log/journal

It seems that rpm was patched between 7.4 and 7.5 to start reporting these inconsistencies.

Thanks,
Andy

In 7.6 (systemd-219-62.el7.x86_64), 3 of the 4 are fixed, but this one is still wrong:

sh-4.2# rpm --verify -q systemd
.M....G..  g /var/log/journal
sh-4.2# rpm -qlv systemd | fgrep /var/log/journal
drwxr-xr-x    2 root    root                        0 Oct 30 19:31 /var/log/journal
sh-4.2# ls -ld /var/log/journal
drwxr-sr-x+ 3 root systemd-journal 60 Apr  4  2018 /var/log/journal

Regards,
Andy

*** Bug 1572717 has been marked as a duplicate of this bug. ***

*** Bug 1671327 has been marked as a duplicate of this bug. ***

Citing from bug 1671327 comment 2:

> .M....G..  g /var/log/journal
> 
> [root@localhost ~]# ls -ld /var/log/journal
> drwxr-sr-x+ 3 root systemd-journal 46 Jan 29 13:18 /var/log/journal

The SGID comes from a tmpfiles.d snippet:

# grep 2755 /usr/lib/tmpfiles.d/systemd.conf
z /run/log/journal 2755 root systemd-journal - -
z /var/log/journal 2755 root systemd-journal - -
z /var/log/journal/%m 2755 root systemd-journal - -

It is set so that everyone in the systemd-journal group gets access to the journal files. Also, systemd-journald itself then doesn't have to care about file permissions and doesn't have to do possible user/group lookups, which in turn (depending on the nsswitch.conf) might cause other services to use the journal, which would result in a deadlock.

*** Bug 1671327 has been marked as a duplicate of this bug. ***

Created attachment 1559288 [details]
Patch to correct the specfile

@David,

This is a bug. The tmpfiles configuration sets the file permissions to 2755 for /var/log/journal/ and subdirectories. 

    %ghost %dir %{_localstatedir}/log/journal

We need to change the definition in the specfile to the following to make sure it matches what is intended. On top of that, we will need to add the "%verify(not mode)" since extended ACLs are not currently supported [^1].

    %ghost %dir %attr(2755, root, systemd-journal) %verify(not mode) %{_localstatedir}/log/journal


Without this change, STIG compliance validation will fail after a reboot for the following high priority check [^2]. The reason why this is just now a problem is that rpm previously, incorrectly, didn't check %ghost attributes. This was investigated and corrected in later releases [^3].

With this patch included, I conducted the following test:

    # rpm -q systemd
    # rpm -V systemd
    # mkdir /var/log/journal
    # rpm -V systemd
    # systemctl reboot
    # rpm -V systemd

Results:

    # rpm -q systemd
    systemd-219-64.el7.rhbz1545372.x86_64
    
    # rpm -V systemd
    # mkdir /var/log/journal
    # rpm -V systemd
    ......G..  g /var/log/journal
    # systemctl reboot
    # rpm -V systemd


Without the above patch, the verification fails before and after the reboot when you create the /var/log/journal directory.

[^1]: 1184126 – RFE: support setting ACLs on packaged directories - https://bugzilla.redhat.com/show_bug.cgi?id=1184126
[^2]: https://rhel7stig.readthedocs.io/en/latest/high.html#v-71849-the-file-permissions-ownership-and-group-membership-of-system-files-and-commands-must-match-the-vendor-values-rhel-07-010010
[^3]: 1406611 – [RFE] Add 'rpm --noconfig' option to ignore %config files during 'rpm -Va' - https://bugzilla.redhat.com/show_bug.cgi?id=1406611

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1117