Bug 2188743

Summary: Tangd-keygen does not handle different umask
Product: Red Hat Enterprise Linux 8 Reporter: Direct Docs Feedback <ddf-bot>
Component: tangAssignee: Sergio Arroutbi <sarroutb>
Status: VERIFIED --- QA Contact: Patrik Koncity <pkoncity>
Severity: unspecified Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 8.0CC: dapospis, mjahoda, mzeleny, pkoncity, rhel-docs, sarroutb
Target Milestone: rcKeywords: AutoVerified, ReleaseNotes, Triaged
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: tang-7-8.el8 Doc Type: Known Issue
Doc Text:
.`tangd-keygen` does not handle non-default `umask` correctly The `tangd-keygen` script does not change file permissions for generated key files. Consequently, on systems with a default user file-creation mode mask (`umask`) that prevents reading keys to other users, the `tang-show-keys` command returns the error message `Internal Error 500` instead of displaying the keys. To work around the problem, use the `chmod o+r *.jwk` command to change permissions on the files in the `/var/db/tang` directory.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Direct Docs Feedback 2023-04-21 23:37:31 UTC
Depending on root's umask, the key files might be generated with perm 600. 

Need to set perm bits or ownership so that the keys are readable by the 'tang' user otherwise tang-show-keys returns Internal Error 500. 

Reported by: carolw-nac

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening#annotations:88f1f22b-5b64-437b-9ea4-eaef9a23d210