Bug 1951050

Summary:	subscription certificate file access permissions with non default umask
Product:	Red Hat Enterprise Linux 8	Reporter:	John Sefler <jsefler>
Component:	subscription-manager	Assignee:	candlepin-bugs
Status:	CLOSED ERRATA	QA Contact:	Red Hat subscription-manager QE Team <rhsm-qe>
Severity:	medium	Docs Contact:
Priority:	high
Version:	---	CC:	arpandey, bhenders, csnyder, dmule, jhnidek, jreznik, jsefler, ktordeur, pdwyer, redakkan, rhsm-qe, rjerrido, wpoteat
Target Milestone:	beta	Keywords:	Triaged
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	subscription-manager-1.28.17-1.el8	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:	1896715	Environment:
Last Closed:	2021-11-09 19:37:58 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Comment 1 John Sefler 2021-04-19 14:02:27 UTC

This bug was cloned from RHEL7 to ensure that the fixes are also applied and tested against RHEL8.

Comment 2 Rehana 2021-05-21 15:01:58 UTC

Pre-verification Blocked due to https://bugzilla.redhat.com/show_bug.cgi?id=1963151

Comment 3 Rehana 2021-05-25 14:57:59 UTC

Pre-verifying on : 
==================
# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 3.2.18-1
subscription management rules: 5.41
subscription-manager: 1.28.16-1.git.19.dfbe16a.el8

# rm -f /etc/pki/entitlement/*

# umask 022

# subscription-manager refresh
All local data refreshed

# ls -al /etc/pki/entitlement/
total 32
drwxr-xr-x.  2 root root    72 May 25 10:51 .
drwxr-xr-x. 12 root root   160 May 25 10:23 ..
-rw-r--r--.  1 root root  3243 May 25 10:51 8811752924126859983-key.pem
-rw-r--r--.  1 root root 24707 May 25 10:51 8811752924126859983.pem

# rm -f /etc/pki/entitlement/*

# umask 077

# subscription-manager refresh
All local data refreshed

# ls -al /etc/pki/entitlement/
total 32
drwxr-xr-x.  2 root root    72 May 25 10:51 .
drwxr-xr-x. 12 root root   160 May 25 10:23 ..
-rw-r--r--.  1 root root  3243 May 25 10:51 8811752924126859983-key.pem
-rw-r--r--.  1 root root 24707 May 25 10:51 8811752924126859983.pem

# yum clean all
Updating Subscription Management repositories.
0 files removed

# su tester
$ cd ~

$ yum info zsh
2021-05-25 10:51:44,777 [ERROR] yum:17344:MainThread @logutil.py:200 - [Errno 13] Permission denied: '/var/log/rhsm/rhsm.log' - Further logging output will be written to stderr
Not root, Subscription Management repositories not updated
2021-05-25 10:51:44,780 [ERROR] yum:17344:MainThread @identity.py:156 - Reload of consumer identity cert /etc/pki/consumer/cert.pem raised an exception with msg: [Errno 13] Permission denied: '/etc/pki/consumer/key.pem'
Last metadata expiration check: 0:06:55 ago on Tue 25 May 2021 10:44:50 AM EDT.
Available Packages
Name         : zsh
Version      : 5.5.1
Release      : 6.el8_1.2
Architecture : x86_64
Size         : 2.9 M
Source       : zsh-5.5.1-6.el8_1.2.src.rpm
Repository   : rhel-8-for-x86_64-baseos-rpms
Summary      : Powerful interactive shell
URL          : http://zsh.sourceforge.net/
License      : MIT
Description  : The zsh shell is a command interpreter usable as an interactive login
             : shell and as a shell script command processor.  Zsh resembles the ksh
             : shell (the Korn shell), but includes many enhancements.  Zsh supports
             : command line editing, built-in spelling correction, programmable
             : command completion, shell functions (with autoloading), a history
             : mechanism, and more.

Notice the permission on the entitlement certificates are restored and a non-root user can access the package information . 

For reporting log entries in the stdout existing Bug 1947844 will be used to track the fix. 

Based on the above observation ,setting Verified:tested.

Comment 7 Rehana 2021-06-14 14:29:27 UTC

# subscription-manager version
server type: This system is currently not registered.
subscription management server: 3.2.18-1
subscription management rules: 5.41
subscription-manager: 1.28.17-1.el8

# subscription-manager register --auto-attach
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Username: ********
Password: 
The system has been registered with ID: **********
The registered system name is: ****************
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux for x86_64 Beta
Status:       Subscribed

# rm -f /etc/pki/entitlement/*

# umask 022

# subscription-manager refresh
All local data refreshed

# ls -al /etc/pki/entitlement/
total 12
drwxr-xr-x.  2 root root   72 Jun 14 10:23 .
drwxr-xr-x. 12 root root  160 Jun 14 05:25 ..
-rw-r--r--.  1 root root 3243 Jun 14 10:23 6217372089105744522-key.pem
-rw-r--r--.  1 root root 7555 Jun 14 10:23 6217372089105744522.pem

# rm -f /etc/pki/entitlement/*

# umask 077

# subscription-manager refresh
All local data refreshed

# ls -al /etc/pki/entitlement/
total 12
drwxr-xr-x.  2 root root   72 Jun 14 10:23 .
drwxr-xr-x. 12 root root  160 Jun 14 05:25 ..
-rw-r--r--.  1 root root 3243 Jun 14 10:23 6217372089105744522-key.pem
-rw-r--r--.  1 root root 7555 Jun 14 10:23 6217372089105744522.pem

^^ NOTICE THAT EVEN AFTER A CHANGE IN DEFAULT UMASK VALUE , THE PREMISSIONS ON THE FILES ARE STILL RESTORED. 

# yum clean all
Updating Subscription Management repositories.
127 files removed

# su - test
Last login: Mon Jun 14 10:24:33 EDT 2021 on pts/0

$ yum info zsh
2021-06-14 10:26:17,499 [ERROR] yum:23468:MainThread @logutil.py:198 - [Errno 13] Permission denied: '/var/log/rhsm/rhsm.log' - Further logging output will be written to stderr
Not root, Subscription Management repositories not updated
2021-06-14 10:26:17,501 [ERROR] yum:23468:MainThread @identity.py:156 - Reload of consumer identity cert /etc/pki/consumer/cert.pem raised an exception with msg: [Errno 13] Permission denied: '/etc/pki/consumer/key.pem'
Red Hat Enterprise Linux 8 for x86_64 - AppStream Beta (RPMs)                                                                                                                     5.2 MB/s | 9.6 MB     00:01    
Red Hat Enterprise Linux 8 for x86_64 - BaseOS Beta (RPMs)                                                                                                                        1.8 MB/s | 2.8 MB     00:01    
Last metadata expiration check: 0:00:01 ago on Mon 14 Jun 2021 10:26:22 AM EDT.
Available Packages
Name         : zsh
Version      : 5.5.1
Release      : 6.el8_1.2
Architecture : x86_64
Size         : 2.9 M
Source       : zsh-5.5.1-6.el8_1.2.src.rpm
Repository   : rhel-8-for-x86_64-baseos-beta-rpms
Summary      : Powerful interactive shell
URL          : http://zsh.sourceforge.net/
License      : MIT
Description  : The zsh shell is a command interpreter usable as an interactive login
             : shell and as a shell script command processor.  Zsh resembles the ksh
             : shell (the Korn shell), but includes many enhancements.  Zsh supports
             : command line editing, built-in spelling correction, programmable
             : command completion, shell functions (with autoloading), a history
             : mechanism, and more.

^ A Non-root user can still execute the above command. Moving the bug to Verified!!

Comment 8 Chris Snyder 2021-09-28 17:46:23 UTC

*** Bug 2006444 has been marked as a duplicate of this bug. ***

Comment 10 errata-xmlrpc 2021-11-09 19:37:58 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (subscription-manager bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4390