Bug 2021025

Summary: certificates: "group" option keeps certificates inaccessible to the group
Product: Red Hat Enterprise Linux 9 Reporter: Martin Pitt <mpitt>
Component: rhel-system-rolesAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: Jakub Haruda <jharuda>
Severity: unspecified Docs Contact: Eliane Ramos Pereira <elpereir>
Priority: unspecified    
Version: 9.0CC: djez, elpereir, gfialova, jharuda, nhosoi, pkettman, spetrosi
Target Milestone: rc   
Target Release: 9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: role:certificate
Fixed In Version: rhel-system-roles-1.11.0-1.el9 Doc Type: Bug Fix
Doc Text:
.The `group` option in the Certificate System Role no longer keeps certificates inaccessible to the group Previously, when setting the group for a certificate, the `mode` was not set to allow group read permission. As a consequence, group members were unable to read certificates issued by the Certificate role. With this fix, the group setting now ensures that the file mode includes group read permission. As a result, the certificates issued by the Certificate role for groups are accessible by the group members.
 Story Points: ---
Clone Of:
: 2021683 (view as bug list) Environment:
Last Closed: 2022-05-17 13:02:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2021683    

Description Martin Pitt 2021-11-08 06:26:34 UTC 
Description of problem:

lsr.certificates has a "group:" option [1], which is meant for services which run not as root, but as some unprivileged user/group. However, it keeps the file permissions as 0600, which means that the group can't access it.

I recently fixed this upstream:
- https://github.com/linux-system-roles/certificate/commit/27ed4d2517cbdd introduces general testing of certificate permissions

- https://github.com/linux-system-roles/certificate/commit/0d7470b345e1bf adds a test for setting "group:" (without "owner:", thus keeping the "root" default), and ensures that the permissions are as expected. This reproduces the bug and validates the fix.

RHEL 8.5/8.6 is affected in the same way -- but you mentioned you want to handle this through cloning, after the initial bug review.

Version-Release number of selected component (if applicable):

rhel-system-roles-1.8.3-2.el9.noarch

How reproducible: Always


Steps to Reproduce:
1. Run this step:

- hosts: webserver
  vars:
    certificate_requests:
      - name: mycert
        dns: www.example.com
        ca: self-sign
        group: httpd

  roles:
    - linux-system-roles.certificate

2. Check permissions

Actual results: /etc/pki/tls/certs/mycert.key has permissions 0600


Expected results: /etc/pki/tls/certs/mycert.key has permissions 0640 so that the group can actually read it


Additional info:

[1] https://github.com/linux-system-roles/certificate#setting-the-certificate-owner-and-group
Comment 2 Peter Kettmann 2021-11-15 14:14:21 UTC 
Hi Jakub, can you please review and ack this BZ? Thanks.
Comment 11 errata-xmlrpc 2022-05-17 13:02:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: rhel-system-roles), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2443