Bug 2153688

Summary: Bad permissions for files shipped by libvirt-client
Product: Red Hat Enterprise Linux 8 Reporter: Michal Privoznik <mprivozn>
Component: libvirtAssignee: Michal Privoznik <mprivozn>
Status: CLOSED ERRATA QA Contact: yalzhang <yalzhang>
Severity: high Docs Contact:
Priority: high    
Version: ---CC: gveitmic, jdenemar, jsuchane, lmen, mprivozn, rmetrich, virt-maint, yalzhang, ymankad
Target Milestone: rcKeywords: Triaged, Upstream, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt-8.0.0-13.module+el8.8.0+17719+f18c2d1b Doc Type: Bug Fix
Doc Text:
Cause: Some scripts installed by libvirt RPMs have bad permissions (writable by root group). Consequence: This is potentially dangerous as a member of a root group (which is usually just root, but okay) could change the contents of the script. Fix: Scripts are now installed with rwxr-xr-x mode (i.e. writable only by root user). Result: Scripts are now writable by root user only.
 Story Points: ---
Clone Of: 2151202
: 2157091 2157092 (view as bug list) Environment:
Last Closed: 2023-05-16 08:18:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version: 9.0.0
Embargoed:
Bug Depends On:    
Bug Blocks: 2157091, 2157092    

Comment 10 yalzhang@redhat.com 2023-01-05 05:50:55 UTC 
Reproduce on libvirt-8.0.0-12.module+el8.8.0+17545+95582d4e.x86_64:

# rpm -q libvirt 
libvirt-8.0.0-12.module+el8.8.0+17545+95582d4e.x86_64

# ls -al /usr/bin/virt-*-validate
-rwxr-xr-x. 1 root root 25640 Dec 13 10:54 /usr/bin/virt-host-validate
-rwxrwxr-x. 1 root root  9772 Dec 13 10:53 /usr/bin/virt-pki-validate
-rwxrwxr-x. 1 root root  2840 Dec 13 10:53 /usr/bin/virt-xml-validate

And update to libvirt-8.0.0-13, the issue is fixed:
# rpm -q libvirt
libvirt-8.0.0-13.module+el8.8.0+17719+f18c2d1b.x86_64
# ls -al /usr/bin/virt-*-validate
-rwxr-xr-x. 1 root root 25608 Jan  4 13:20 /usr/bin/virt-host-validate
-rwxr-xr-x. 1 root root  9772 Jan  4 13:20 /usr/bin/virt-pki-validate
-rwxr-xr-x. 1 root root  2840 Jan  4 13:20 /usr/bin/virt-xml-validate
Comment 13 yalzhang@redhat.com 2023-01-06 01:27:21 UTC 
verified per comment 10
Comment 15 errata-xmlrpc 2023-05-16 08:18:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2757