Bug 1545372
Summary: | [SPEC] rpm -V failures | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Frantisek Kluknavsky <fkluknav> | ||||
Component: | systemd | Assignee: | David Tardon <dtardon> | ||||
Status: | CLOSED ERRATA | QA Contact: | Frantisek Sumsal <fsumsal> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.6 | CC: | ajschorr, bugzilla, dtardon, fsumsal, jsynacek, kwalker, peter.vreman, systemd-maint-list, ysoni | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2020-03-31 20:02:09 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1716963, 1719445 | ||||||
Attachments: |
|
Description
Frantisek Kluknavsky
2018-02-14 18:35:18 UTC
How is this a systemd problem? I think that there was no change in systemd that caused it. Same privileges are on rhel-7.4 as well. But the behaviour of rpm -V is different Yes, in both 7.4 and 7.5 the real /etc/machine-id permissions are 444 and rpm database says 644. Systemd did not change between 7.4 and 7.5, rpm -V changed. I would still say it is a problem with systemd, simply because those files are owned by systemd.rpm. Or, at least I would expect systemd maintainers to know if this is intended and help reassign the report to the proper place. Pretty please, give me a hint if you know. Systemd-machine-id-setup, which is... still systemd? Anaconda? It is quite invasive since every artifact based on rhel-7.5 which goes through a few basic checks must have these checks fixed. I filed a bug about this against rpm (see closed bug #1583796), and the rpm maintainer Panu Matilainen said "please file bugs on the affected packages, those %ghost permissions should be updated to match reality." So please fix the systemd rpm spec file to set the correct permissions: sh-4.2# rpm --verify -q systemd .M....... c /etc/machine-id .M....... g /etc/udev/hwdb.bin .M....... g /var/lib/systemd/random-seed .M....G.. g /var/log/journal sh-4.2# rpm -qlv systemd | egrep '/etc/machine-id|/etc/udev/hwdb.bin|/var/lib/systemd/random-seed|/var/log/journal' -rw-r--r-- 1 root root 0 Apr 11 03:36 /etc/machine-id -rw-r--r-- 1 root root 0 Apr 11 03:36 /etc/udev/hwdb.bin -rw-r--r-- 1 root root 0 Apr 11 03:36 /var/lib/systemd/random-seed drwxr-xr-x 2 root root 0 Apr 11 03:36 /var/log/journal sh-4.2# ls -ld /etc/machine-id /etc/udev/hwdb.bin /var/lib/systemd/random-seed /var/log/journal -r--r--r--. 1 root root 33 Feb 24 10:55 /etc/machine-id -r--r--r-- 1 root root 7780559 May 19 17:37 /etc/udev/hwdb.bin -rw-------. 1 root root 1024 May 28 10:35 /var/lib/systemd/random-seed drwxr-sr-x+ 3 root systemd-journal 60 Apr 4 13:00 /var/log/journal It seems that rpm was patched between 7.4 and 7.5 to start reporting these inconsistencies. Thanks, Andy In 7.6 (systemd-219-62.el7.x86_64), 3 of the 4 are fixed, but this one is still wrong: sh-4.2# rpm --verify -q systemd .M....G.. g /var/log/journal sh-4.2# rpm -qlv systemd | fgrep /var/log/journal drwxr-xr-x 2 root root 0 Oct 30 19:31 /var/log/journal sh-4.2# ls -ld /var/log/journal drwxr-sr-x+ 3 root systemd-journal 60 Apr 4 2018 /var/log/journal Regards, Andy *** Bug 1572717 has been marked as a duplicate of this bug. *** *** Bug 1671327 has been marked as a duplicate of this bug. *** Citing from bug 1671327 comment 2: > .M....G.. g /var/log/journal > > [root@localhost ~]# ls -ld /var/log/journal > drwxr-sr-x+ 3 root systemd-journal 46 Jan 29 13:18 /var/log/journal The SGID comes from a tmpfiles.d snippet: # grep 2755 /usr/lib/tmpfiles.d/systemd.conf z /run/log/journal 2755 root systemd-journal - - z /var/log/journal 2755 root systemd-journal - - z /var/log/journal/%m 2755 root systemd-journal - - It is set so that everyone in the systemd-journal group gets access to the journal files. Also, systemd-journald itself then doesn't have to care about file permissions and doesn't have to do possible user/group lookups, which in turn (depending on the nsswitch.conf) might cause other services to use the journal, which would result in a deadlock. *** Bug 1671327 has been marked as a duplicate of this bug. *** Created attachment 1559288 [details] Patch to correct the specfile @David, This is a bug. The tmpfiles configuration sets the file permissions to 2755 for /var/log/journal/ and subdirectories. %ghost %dir %{_localstatedir}/log/journal We need to change the definition in the specfile to the following to make sure it matches what is intended. On top of that, we will need to add the "%verify(not mode)" since extended ACLs are not currently supported [^1]. %ghost %dir %attr(2755, root, systemd-journal) %verify(not mode) %{_localstatedir}/log/journal Without this change, STIG compliance validation will fail after a reboot for the following high priority check [^2]. The reason why this is just now a problem is that rpm previously, incorrectly, didn't check %ghost attributes. This was investigated and corrected in later releases [^3]. With this patch included, I conducted the following test: # rpm -q systemd # rpm -V systemd # mkdir /var/log/journal # rpm -V systemd # systemctl reboot # rpm -V systemd Results: # rpm -q systemd systemd-219-64.el7.rhbz1545372.x86_64 # rpm -V systemd # mkdir /var/log/journal # rpm -V systemd ......G.. g /var/log/journal # systemctl reboot # rpm -V systemd Without the above patch, the verification fails before and after the reboot when you create the /var/log/journal directory. [^1]: 1184126 – RFE: support setting ACLs on packaged directories - https://bugzilla.redhat.com/show_bug.cgi?id=1184126 [^2]: https://rhel7stig.readthedocs.io/en/latest/high.html#v-71849-the-file-permissions-ownership-and-group-membership-of-system-files-and-commands-must-match-the-vendor-values-rhel-07-010010 [^3]: 1406611 – [RFE] Add 'rpm --noconfig' option to ignore %config files during 'rpm -Va' - https://bugzilla.redhat.com/show_bug.cgi?id=1406611 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1117 |