Bug 2188743

Summary: Tangd-keygen does not handle different umask
Product: Red Hat Enterprise Linux 8 Reporter: Direct Docs Feedback <ddf-bot>
Component: tangAssignee: Sergio Arroutbi <sarroutb>
Status: CLOSED ERRATA QA Contact: Patrik Koncity <pkoncity>
Severity: unspecified Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 8.0CC: dapospis, mjahoda, mzeleny, pkoncity, rhel-docs, sarroutb
Target Milestone: rcKeywords: AutoVerified, ReleaseNotes, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: tang-7-8.el8 Doc Type: Bug Fix
Doc Text:
.`tangd-keygen` now handles non-default `umask` correctly Previously, the `tangd-keygen` script did not change file permissions for generated key files. Consequently, on systems with a default user file-creation mode mask (`umask`) that prevents reading keys to other users, the `tang-show-keys` command returned the error message `Internal Error 500` instead of displaying the keys. With this update, `tangd-keygen` sets file permissions for generated key files, and therefore the script now works correctly on systems with non-default `umask`.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-14 15:35:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Direct Docs Feedback 2023-04-21 23:37:31 UTC 
Depending on root's umask, the key files might be generated with perm 600. 

Need to set perm bits or ownership so that the keys are readable by the 'tang' user otherwise tang-show-keys returns Internal Error 500. 

Reported by: carolw-nac

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening#annotations:88f1f22b-5b64-437b-9ea4-eaef9a23d210
Comment 15 errata-xmlrpc 2023-11-14 15:35:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: tang security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:7022