Bug 1577525
| Summary: | Incorrect permissions on IPA-installed files when UMASK not default | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jan <redhat> |
| Component: | freeipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 28 | CC: | abokovoy, ipa-maint, jcholast, jhrozek, pvoborni, rcritten, ssorce |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-05-14 14:47:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of bug 1485217 *** |
Description of problem: When installing FreeIPA on a system where UMASK is non-default removing rwx access to "other", one can not log in to the IPA server web portal due to incorrect permissions on IPA-installed certificates and other content. Version-Release number of selected component (if applicable): 4.6.90.pre1-6.1.fc28 How reproducible: permanent issue, if UMASK was incorrect during installation Steps to Reproduce: 1. change UMASK to 0007 ("umask 0007") 2. install IPA normally (I used a script with the command line "/usr/sbin/ipa-server-install --mkhomedir --no-ntp --idstart=20000 --idmax=39999 --no-ui-redirect") 3. open a browser and navigate to https://<hostname>/ipa/ui and log in. Actual results: The login fails due to an "unknown reason". Apache access_log provides an HTTP 500 error. error_log states that one of the files cannot be accessed (e.g. /var/lib/ipa-client/pki/ca-bundle.pem). Changing permissions will yield the next file on the next attempt. Expected results: When running an automation routine like ipa-server-install, it shall take care of setting file permissions itself and shall not rely on a system's UMASK to do it. Additional info: Regression: Installing the shipped version of FreeIPA on a system with the above UMASK worked on Fedora 26, but stopped working on Fedora 27 (however, I did not investigate the reasons back then, but remained on F26 instead).