Bug 1691544

Was the last step "subscription-manager ?:  chmod o+r /etc/pki/entitlement/1939799096719564946-key.pem" necessary for you to successfully access your subscription?

My suspicion is that the issue in access to the subscription was that podman was not mounting the directory to which we expect entitlements to be written to from the host.
As such I highly doubt there is anything that should be changed in subscription-manager.

We shouldn't be making the entitlement certs accessible to all others. They should remain readable by root only.

(In reply to Chris Snyder from comment #1)
> Was the last step "subscription-manager ?:  chmod o+r
> /etc/pki/entitlement/1939799096719564946-key.pem" necessary for you to
> successfully access your subscription?

Yes, it is necessary.

If you need the subscription key file in order to install packages inside of a RHEL container, 
then in order to use it for rootless users, it needs to be readable by them.
As a compromize could we make it readable to a group.  Say create an imagebuilders group.
Then the admin could add any users to that group to be able to build from it.

I don't think this is an issue with non-rootless containers, since we are actually 
copying the content into the container images at container creation time.

What is the risk of a non privileged user getting access to this file?

Ok so we need to get an updated subsriptions-manager package that adds a "packager" group, And then sets the ownership of the certs to 
740 root packager

So can we just revert the change made back in 2011 to make this not world readable, and get this into 8.1 release?  Or earlier.

Was trying this out the other day. I ran into the fact that I both had to o+r the entitlement file, *and* make /var/run/rhsm world writable (for a cert.pid file). Not pretty, but at least it works after. 

This was on a newly deployed VM from Sat65:

buildah unshare
newcontainer=$(buildah from scratch)
scratchmnt=$(buildah mount $newcontainer)
dnf install --installroot $scratchmnt bash
Unable to detect release version (use '--releasever' to specify release version)
Updating Subscription Management repositories.
Unable to read consumer identity
2019-05-29 10:17:47,328 [ERROR] dnf:13951:MainThread @lock.py:152 - [Errno 13] Permission denied: '/var/run/rhsm/cert/var/rhsm/cert.pid'
Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/subscription_manager/lock.py", line 132, in acquire
    f.open()
  File "/usr/lib64/python3.6/site-packages/subscription_manager/lock.py", line 41, in open
    self.fp = open(self.path, 'w')
PermissionError: [Errno 13] Permission denied: '/var/run/rhsm/cert.pid'
could not create lock
2019-05-29 10:17:47,329 [INFO] dnf:13951:MainThread @connection.py:924 - Connection built: host=sat6cast.deployment6.lan port=443 handler=/rhsm auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2019-05-29 10:17:47,330 [INFO] dnf:13951:MainThread @entcertlib.py:131 - certs updated:
Total updates: 0
Found (local) serial# []
Expected (UEP) serial# []
Added (new)
  <NONE>
Deleted (rogue):
  <NONE>
2019-05-29 10:17:47,377 [INFO] dnf:13951:MainThread @connection.py:638 - Response: status=200, request="GET /rhsm/status"
2019-05-29 10:17:47,378 [ERROR] dnf:13951:MainThread @lock.py:152 - [Errno 13] Permission denied: '/var/run/rhsm/cert.pid'
Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/subscription_manager/lock.py", line 132, in acquire
    f.open()
  File "/usr/lib64/python3.6/site-packages/subscription_manager/lock.py", line 41, in open
    self.fp = open(self.path, 'w')
PermissionError: [Errno 13] Permission denied: '/var/run/rhsm/cert.pid'
could not create lock
2019-05-29 10:17:47,379 [INFO] dnf:13951:MainThread @repolib.py:464 - repos updated: Repo updates
Total repo updates: 0
Updated
    <NONE>
Added (new)
    <NONE>
Deleted
    <NONE>
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                             0.0  B/s |   0  B     00:00    
Error: Failed to synchronize cache for repo 'rhel-8-for-x86_64-appstream-rpms'

Unsure what happened there, but I had some mislabeled files, and relabeling makes the dnf operation work now. There's still an ugly error around cert.pid, but it's no longer blocking.

Demonstrating the on RHEL8 GA , the entitlement certs were not world readable 
==========================================================================

# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.3.17-1
subscription management rules: 5.35
subscription-manager: 1.23.8-35.el8

[root@kvm-04-guest01 ~]# subscription-manager register --serverurl=subscription.rhsm.stage.redhat.com --baseurl=https://cdn.stage.redhat.com --auto-attach --username=qa
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Password: 
The system has been registered with ID: f6dca38b-932c-4e9a-965b-fa200fca550e
The registered system name is: kvm-04-guest01.lab.eng.rdu2.redhat.com
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux for x86_64
Status:       Subscribed

[root@kvm-04-guest01 ~]# yum repolist
Updating Subscription Management repositories.
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                                                                                                           2.9 MB/s | 8.2 MB     00:02    
Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                                                                                                                              3.6 MB/s | 5.5 MB     00:01    
Last metadata expiration check: 0:00:01 ago on Thursday 27 June 2019 05:51:00 AM EDT.
repo id                                                                                   repo name                                                                                                          status
rhel-8-for-x86_64-appstream-rpms                                                          Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                                           5,702
rhel-8-for-x86_64-baseos-rpms                                                             Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                                                              2,053

[root@kvm-04-guest01 ~]# ll /etc/pki/entitlement/*
-rw-------. 1 root root   3243 Jun 27 05:50 /etc/pki/entitlement/537910463050905418-key.pem
-rw-r--r--. 1 root root 130259 Jun 27 05:50 /etc/pki/entitlement/537910463050905418.pem

^^ notice the file dont have world readable permissions.
switch to a non-root user :

[root@kvm-04-guest01 ~]# su test
[test@kvm-04-guest01 ~]$ yum repolist
Not root, Subscription Management repositories not updated
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                                                                                                           0.0  B/s |   0  B     00:01    
Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                                                                                                                              0.0  B/s |   0  B     00:00    
Failed to synchronize cache for repo 'rhel-8-for-x86_64-appstream-rpms', ignoring this repo.
Failed to synchronize cache for repo 'rhel-8-for-x86_64-baseos-rpms', ignoring this repo.

^^ notice yum repolist failed 

Let's update the subscription-manager to the latest
==================================================

[root@kvm-04-guest01 ~]# yum update subscription-manager --quiet -y

[root@kvm-04-guest01 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.3.17-1
subscription management rules: 5.35
subscription-manager: 1.25.11-1.el8

[root@kvm-04-guest01 ~]# ll /etc/pki/entitlement/*
-rw-------. 1 root root   3243 Jun 27 05:50 /etc/pki/entitlement/537910463050905418-key.pem
-rw-r--r--. 1 root root 130259 Jun 27 05:50 /etc/pki/entitlement/537910463050905418.pem

^^ Notice its not world-readable (as this is earlier entitlement cert that was installed on the system) 

let's refresh and check the permissions 

[root@kvm-04-guest01 ~]# subscription-manager refresh
1 local certificate has been deleted.
All local data refreshed

[root@kvm-04-guest01 ~]# ll /etc/pki/entitlement/*
-rw-r--r--. 1 root root   3243 Jun 27 06:01 /etc/pki/entitlement/1979860778236487299-key.pem
-rw-r--r--. 1 root root 130259 Jun 27 06:01 /etc/pki/entitlement/1979860778236487299.pem

^^ new entitlement cert were downloaded but this time with world-readable permissions.

Observed that with the lastest subscription manager installed, entitlement certs are now world-readable. 

Based on the above observations , moving the bug to verified.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3561