Bug 2021683

Summary: certificates: "group" option keeps certificates inaccessible to the group
Product: Red Hat Enterprise Linux 8 Reporter: Rich Megginson <rmeggins>
Component: rhel-system-rolesAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: David Jež <djez>
Severity: unspecified Docs Contact: Eliane Ramos Pereira <elpereir>
Priority: unspecified    
Version: 8.6CC: djez, elpereir, gfialova, jharuda, mpitt, nhosoi, pkettman, rhel-cs-system-management-subsystem-qe, spetrosi
Target Milestone: rc   
Target Release: 8.6   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: role:certificate
Fixed In Version: rhel-system-roles-1.11.0-1.el8 Doc Type: Bug Fix
Doc Text:
.The `group` option no longer keeps certificates inaccessible to the group Previously, when setting the group for a certificate, the `mode` was not set to allow group read permission. As a consequence, group members were unable to read certificates issued by the Certificate role. With this fix, the group setting now ensures that the file mode includes group read permission. As a result, the certificates issued by the Certificate role for groups are accessible by the group members.
 Story Points: ---
Clone Of: 2021025 Environment:
Last Closed: 2022-05-10 14:12:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2021025    
Bug Blocks:    

Description Rich Megginson 2021-11-09 22:31:20 UTC 
+++ This bug was initially created as a clone of Bug #2021025 +++

Description of problem:

lsr.certificates has a "group:" option [1], which is meant for services which run not as root, but as some unprivileged user/group. However, it keeps the file permissions as 0600, which means that the group can't access it.

I recently fixed this upstream:
- https://github.com/linux-system-roles/certificate/commit/27ed4d2517cbdd introduces general testing of certificate permissions

- https://github.com/linux-system-roles/certificate/commit/0d7470b345e1bf adds a test for setting "group:" (without "owner:", thus keeping the "root" default), and ensures that the permissions are as expected. This reproduces the bug and validates the fix.

RHEL 8.5/8.6 is affected in the same way -- but you mentioned you want to handle this through cloning, after the initial bug review.

Version-Release number of selected component (if applicable):

rhel-system-roles-1.8.3-2.el9.noarch

How reproducible: Always


Steps to Reproduce:
1. Run this step:

- hosts: webserver
  vars:
    certificate_requests:
      - name: mycert
        dns: www.example.com
        ca: self-sign
        group: httpd

  roles:
    - linux-system-roles.certificate

2. Check permissions

Actual results: /etc/pki/tls/certs/mycert.key has permissions 0600


Expected results: /etc/pki/tls/certs/mycert.key has permissions 0640 so that the group can actually read it


Additional info:

[1] https://github.com/linux-system-roles/certificate#setting-the-certificate-owner-and-group
Comment 13 errata-xmlrpc 2022-05-10 14:12:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rhel-system-roles bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1896