Bug 1952105

Summary: [RHEL8/Bug] vdo creates directory /run/lock/vdo world writable without sticky bit triggered (found by SCAP)
Product: Red Hat Enterprise Linux 8 Reporter: Rajesh Dulhani <rdulhani>
Component: vdoAssignee: bjohnsto
Status: CLOSED ERRATA QA Contact: Filip Suba <fsuba>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.3CC: awalsh, cwei, fsuba, peter.vreman
Target Milestone: betaKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: vdo-6.2.5.11-14.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 19:28:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
run-lock-vdo status reported by scap none

Description Rajesh Dulhani 2021-04-21 14:06:23 UTC 
Created attachment 1774101 [details]
run-lock-vdo status reported by scap

Description of problem:

When i run on RHEL7 as well as RHEL 8 the SCAP standard profile 	xccdf_org.ssgproject.content_profile_standard the  it triggers the xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits on a directory /run/lock/vdo that is implicitly created during boot.

attached screenshot.

I verified also on RHEL8.3 and RHEL7.6 and there the /run/lock/vdo is also missing the sticky bit as recommended by SCAP
-------

$ cat /etc/redhat-release
Red Hat Enterprise Linux release 8.3 (Ootpa)


$ stat /run/lock/vdo
  File: /run/lock/vdo
  Size: 60              Blocks: 0          IO Block: 4096   directory
Device: 18h/24d Inode: 205356      Links: 2
Access: (0777/drwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:var_lock_t:s0
Access: 2021-04-15 12:59:11.315884394 +0000
Modify: 2021-03-25 01:38:13.605033991 +0000
Change: 2021-03-25 01:38:13.605033991 +0000
 Birth: -

$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.6 (Maipo)


$ stat /run/lock/vdo
  File: ‘/run/lock/vdo’
  Size: 60              Blocks: 0          IO Block: 4096   directory
Device: 14h/20d Inode: 225067      Links: 2
Access: (0777/drwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:var_lock_t:s0
Access: 2021-04-16 07:45:13.296935102 +0000
Modify: 2021-04-15 02:19:47.651891219 +0000
Change: 2021-04-15 02:19:47.651891219 +0000
 Birth: -





Version-Release number of selected component (if applicable):


SCAP PROFILE - RHEL8.3

Header of the HTML output of the scap report:
------
Evaluation target	li-lc-2624
Benchmark URL	/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Benchmark ID	xccdf_org.ssgproject.content_benchmark_RHEL-8
Benchmark version	0.1.50
Profile ID	xccdf_org.ssgproject.content_profile_ospp
Started at	2021-04-12T16:57:29+00:00
Finished at	2021-04-12T16:57:30+00:00
Performed by	vrempet-admin
Test system	cpe:/a:redhat:openscap:1.3.3
------

Steps to Reproduce:

The file is created implicitly by the insights-client run every night:

-----------

$ ls -l /run/lock
total 0
-rw-r--r--. 1 root root   0 Apr 16 07:58 kdump
drwxrwxr-x. 2 root lock  40 Apr 16 07:58 lockdev
drwx------. 2 root root  40 Apr 16 07:59 lvm
drwxr-xr-x. 2 root root 120 Apr 16 07:58 subsys

$ ls -l /run/lock/vdo
ls: cannot access /run/lock/vdo: No such file or directory

$ sudo insights-client
Starting to collect Insights data for [crash/LI/IPS/OSDev-7.6SAPSOL] li-lc-2286.hag.hilti.com
Uploading Insights data.
Successfully uploaded report from [crash/LI/IPS/OSDev-7.6SAPSOL] li-lc-2286.hag.hilti.com to account 694947.
View details about this system on cloud.redhat.com:
https://cloud.redhat.com/insights/inventory/29fa76b0-48af-40fc-a23a-0ceb3e7524f5

$ ls -l /run/lock/vdo
total 0
-rw-r--r--. 1 root root 0 Apr 16 13:04 _etc_vdoconf.yml.lock

$ sudo grep vdo /var/log/insights-client/insights-client.log
2021-04-16 13:04:25,724    DEBUG insights.util.subproc Executing: [['timeout', '-s', '9', '120', '/usr/bin/vdo', 'status']]
2021-04-16 13:04:32,969    DEBUG insights.client.data_collector Processing /var/tmp/kRwG7w/insights-li-lc-2286.hag.hilti.com-20210416130407/data/insights_commands/vdo_status...
-------------


Reproducer with vdo status:
-------------

$ sudo rm -rf /run/lock/vdo

$ /usr/bin/vdo status
vdo: ERROR - Could not lock file /run/lock/vdo/_etc_vdoconf.yml.lock

$ sudo /usr/bin/vdo status
VDO status:
  Date: '2021-04-16 13:06:27+00:00'
  Node: li-lc-2286
Kernel module:
  Loaded: false
  Name: kvdo
  Version information:
    kvdo version: 6.1.1.125
Configuration:
  File: does not exist
  Last modified: not available
VDOs: {}

$ ls -l /run/lock/vdo
total 0
-rw-r--r--. 1 root root 0 Apr 16 13:06 _etc_vdoconf.yml.lock

$ ls -ld /run/lock/vdo
drwxr-xr-x. 2 root root 60 Apr 16 13:06 /run/lock/vdo
-------------

But when vdo status is run from insights-client from the systemd it is created with 777
-------------
$ sudo rm -rf /run/lock/vdo

$ sudo systemctl start insights-client

$ ls -ld /run/lock/vdo
ls: cannot access /run/lock/vdo: No such file or directory

$ sudo systemctl status insights-client
● insights-client.service - Insights Client
   Loaded: loaded (/usr/lib/systemd/system/insights-client.service; static; vendor preset: disabled)
   Active: inactive (dead) since Fri 2021-04-16 13:09:46 UTC; 16s ago
     Docs: man:insights-client(8)
  Process: 7002 ExecStartPost=/bin/bash -c if [ -d /sys/fs/cgroup/memory ]; then echo 1G > /sys/fs/cgroup/memory/system.slice/insights-client.service/memory.soft_limit_in_bytes; fi (code=exited, status=0/SUCCESS)
  Process: 7001 ExecStartPost=/bin/bash -c if [ -d /sys/fs/cgroup/memory ]; then echo 2G > /sys/fs/cgroup/memory/system.slice/insights-client.service/memory.memsw.limit_in_bytes; fi (code=exited, status=0/SUCCESS)
  Process: 7000 ExecStart=/usr/bin/insights-client --retry 3 (code=exited, status=0/SUCCESS)
 Main PID: 7000 (code=exited, status=0/SUCCESS)

Apr 16 13:08:15 li-lc-2286 systemd[1]: Starting Insights Client...
Apr 16 13:08:15 li-lc-2286 systemd[1]: Started Insights Client.
Apr 16 13:08:25 li-lc-2286 insights-client[7000]: Starting to collect Insights data for [crash/LI/IPS/OSDev-7.6SAPSOL] li-lc-2286.ha...lti.com
Apr 16 13:09:44 li-lc-2286 insights-client[7000]: Uploading Insights data.
Apr 16 13:09:45 li-lc-2286 insights-client[7000]: Successfully uploaded report from [crash/LI/IPS/OSDev-7.6SAPSOL] li-lc-2286.hag.hi...694947.
Apr 16 13:09:46 li-lc-2286 insights-client[7000]: View details about this system on cloud.redhat.com:
Apr 16 13:09:46 li-lc-2286 insights-client[7000]: https://cloud.redhat.com/insights/inventory/29fa76b0-48af-40fc-a23a-0ceb3e7524f5
Hint: Some lines were ellipsized, use -l to show in full.

$ ls -ld /run/lock/vdo
drwxrwxrwx. 2 root root 60 Apr 16 13:08 /run/lock/vdo

-------------

Actual results:

That means it is a bug in the vdo package that it creates the directory world writable in  the context of being from from systemd


Expected results:

It should create not create the world writable directory.


Additional info:
Comment 3 Filip Suba 2021-05-27 14:30:01 UTC 
Verified with vdo-6.2.5.11-14.el8.
Comment 6 errata-xmlrpc 2021-11-09 19:28:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (kmod-kvdo bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4359