Bug 1870202

Summary: File permissions of /etc/ipa/ca.crt differ between CA-ful and CA-less
Product: Red Hat Enterprise Linux 8 Reporter: Florence Blanc-Renaud <frenaud>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: ksiddiqu, myusuf, rcritten, tscherf
Target Milestone: rcKeywords: TestCaseProvided
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:51:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Florence Blanc-Renaud 2020-08-19 14:12:05 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/8441

### Issue
On a CA-ful installation /etc/ipa/ca.crt has mode 0644. On a CA-less installation it is 0444.

This inconsistency raises a false positive for freeipa-healthcheck.

In a CA-less environment the CA certificate is created at https://pagure.io/freeipa/blob/master/f/ipaserver/install/server/install.py#_909 prior to DS installation but then overwritten at the end of init_from_pkcs12 in export_ca_cert https://pagure.io/freeipa/blob/master/f/ipaserver/install/certs.py#_325 The original creation is probably not necessary at all. The cert is created in both cases 0444.

In a CA-ful environment the CA certificate is created by the pkispawn as 0644.

I don't have strong feelings either way which one is correct. The file is owned by root so the write mode is a no-op. I'm inclined to make it 0644 since there are more existing CA-ful installations.

It is TBD whether the initial creation is needed or not. If it isn't needed then those lines should be removed.

I don't see a need for an upgrader to fix existing perms. It is just a warning from healthcheck in any case.
Comment 1 Florence Blanc-Renaud 2020-08-19 14:14:10 UTC 
Fixed upstream:
master:

    ec367aa Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations
    7e37b45 ipatests: Check permissions of /etc/ipa/ca.crt new installations

ipa-4-8:

    4a97145 Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations
    da2079c ipatests: Check permissions of /etc/ipa/ca.crt new installations

Upstream test added in ipatests/test_integration/test_caless.py and ipatests/test_integration/test_installation.py
Comment 4 Mohammad Rizwan 2020-08-20 09:24:26 UTC 
With 4.8.7.10.module+el8.3.0+7702+ced5f219 Automation passed. report.html(automation log) is attached.

[..]
transport.py               391 INFO     RUN ['/usr/bin/stat', '-c', '%U:%G:%a', '/etc/ipa/ca.crt']
transport.py               513 DEBUG    RUN ['/usr/bin/stat', '-c', '%U:%G:%a', '/etc/ipa/ca.crt']
transport.py               558 DEBUG    root:root:644
[..]

Hence marking the bug as verified.
Comment 6 Mohammad Rizwan 2020-08-20 09:54:20 UTC 
test_integration/test_installation.py::TestInstallCA::()::test_ipa_ca_crt_permissions

[..]
transport.py               391 INFO     RUN ['/usr/bin/stat', '-c', '%U:%G:%a', '/etc/ipa/ca.crt']
transport.py               513 DEBUG    RUN ['/usr/bin/stat', '-c', '%U:%G:%a', '/etc/ipa/ca.crt']
transport.py               558 DEBUG    root:root:644
[..]

report.html attached.
Comment 10 errata-xmlrpc 2020-11-04 02:51:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4670