Bug 2141850

Summary: auth_openidc.conf probably should be mode 0640 by default
Product: Red Hat Enterprise Linux 8 Reporter: Orion Poplawski <orion>
Component: mod_auth_openidcAssignee: Tomas Halman <thalman>
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: low Docs Contact:
Priority: low    
Version: 8.7CC: aboscatt, spoore
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: mod_auth_openidc-2.3-8090020230425101425.b46abd14 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-14 15:27:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2022-11-10 20:54:09 UTC 
Description of problem:

auth_openidc.conf can contain secrets.  It probably should be mode 0640 by default.

Version-Release number of selected component (if applicable):
mod_auth_openidc-2.3.7-11.module_el8.6.0+2868+44838709.x86_64

BTW - very happy to see this module in RHEL - thank you for providing it.
Comment 4 Scott Poore 2023-05-04 13:26:30 UTC 
Verified.

Version ::

mod_auth_openidc-2.4.9.4-5.module+el8.9.0+18723+672ccf5d.x86_64

# dnf module info mod_auth_openidc
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Last metadata expiration check: 0:06:56 ago on Thu 04 May 2023 09:11:21 AM EDT.
Name             : mod_auth_openidc
Stream           : 2.3 [d][a]
Version          : 8090020230425101425
Context          : b46abd14
Architecture     : x86_64
Profiles         : default [d]
Default profiles : default
Repo             : rhel-AppStream
Summary          : Apache module suporting OpenID Connect authentication
Description      : This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Requires         : platform:[el8]
Artifacts        : cjose-0:0.6.1-3.module+el8.9.0+18395+74bc73c4.src
                 : cjose-0:0.6.1-3.module+el8.9.0+18395+74bc73c4.x86_64
                 : cjose-debuginfo-0:0.6.1-3.module+el8.9.0+18395+74bc73c4.x86_64
                 : cjose-debugsource-0:0.6.1-3.module+el8.9.0+18395+74bc73c4.x86_64
                 : cjose-devel-0:0.6.1-3.module+el8.9.0+18395+74bc73c4.x86_64
                 : mod_auth_openidc-0:2.4.9.4-5.module+el8.9.0+18723+672ccf5d.src
                 : mod_auth_openidc-0:2.4.9.4-5.module+el8.9.0+18723+672ccf5d.x86_64
                 : mod_auth_openidc-debuginfo-0:2.4.9.4-5.module+el8.9.0+18723+672ccf5d.x86_64
                 : mod_auth_openidc-debugsource-0:2.4.9.4-5.module+el8.9.0+18723+672ccf5d.x86_64

Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled, [a]ctive


Results ::


# ls -l /etc/httpd/conf.d/auth_openidc.conf 
-rw-r-----. 1 root apache 57516 Apr 25 07:13 /etc/httpd/conf.d/auth_openidc.conf

manually run gating tests:


test_oidc.py ....                                                                               [100%]

-------------------- generated xml file: /root/federation_testing/result_oidc.xml ---------------------
====================================== 4 passed in 3.02 seconds =======================================
Comment 6 errata-xmlrpc 2023-11-14 15:27:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: mod_auth_openidc:2.3 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6940