Bug 1803114

Summary: oscap-ssh fails to retrieve the result files when --sudo is used
Product: Red Hat Enterprise Linux 7 Reporter: Renaud Métrich <rmetrich>
Component: openscapAssignee: Jan Černý <jcerny>
Status: CLOSED ERRATA QA Contact: Matus Marhefka <mmarhefk>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.7CC: lcervako, matyc, mhaicman, mmarhefk, openscap-maint
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openscap-1.2.17-10.el7 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 19:53:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2020-02-14 14:12:31 UTC 
Description of problem:

Depending on the umask configuration of the target system, "sudo oscap"
may create the result files in temporary directory with 600 permissions,
which makes retrieving the log (as the regular user that ssh'ed to the
system) impossible:

$ oscap-ssh --sudo user@system 22 xccdf eval ...
[...]
oscap exit code: 0
Copying back requested files...
scp: /tmp/tmp.0kfbPWEy6u/report.html: Permission denied
Failed to copy the HTML report back to local machine!


Version-Release number of selected component (if applicable):

All openscap packages, including Upstream


How reproducible:

Always


Steps to Reproduce:
1. Set a default umask in /etc/sudoers:

Defaults	umask = 0077

2. Run oscap-ssh

$ oscap-ssh --sudo rmetrich@vm-rhel7 22 xccdf eval --rule xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated --profile xccdf_org.ssgproject.content_profile_pci-dss --report report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Actual results:

Failure to retrieve the result

Expected results:

Result being retrieved.

Additional info:

Issue applies Upstream. See PR https://github.com/OpenSCAP/openscap/pull/1481
Comment 3 Renaud Métrich 2020-02-17 06:50:21 UTC 
An even simple reproducer is to change the default umask in /etc/bashrc:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
    if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
       umask 002
    else
       umask 022
    fi
    umask 027       <<<--- HERE for example
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Comment 4 Matěj Týč 2020-02-20 09:00:10 UTC 
https://github.com/OpenSCAP/openscap/pull/1485
Comment 9 errata-xmlrpc 2020-09-29 19:53:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openscap bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3914