Bug 2220875

Summary: [sssd] [sss_ini_add_snippets] (0x0020): Config merge error: File /etc/sssd/conf.d/certificate_verification.conf did not pass access check.
Product: Red Hat Enterprise Linux 8 Reporter: Sudhir Menon <sumenon>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED MIGRATED QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.9CC: atikhono, ggasparb, matyc, mhaicman, mlysonek, pbrezina, sbose, vpolasek, wsato
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-15 15:34:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sudhir Menon 2023-07-06 11:57:40 UTC 
Description of problem: [sssd] [sss_ini_add_snippets] (0x0020): Config merge error: File /etc/sssd/conf.d/certificate_verification.conf did not pass access check.

Version-Release number of selected component (if applicable):
ipa-server-4.9.12-2.module+el8.9.0+18921+013c0de2.x86_64
sssd-common-2.9.0-4.el8.x86_64

How reproducible: Always

Steps to Reproduce:
1. Install IPA server in STIG env.
2. Check the dmesg log

Actual results:
Jul  6 07:51:46 master systemd[1]: Starting SSSD Kerberos Cache Manager...
Jul  6 07:51:46 master sssd[20838]: [sssd] [sss_ini_add_snippets] (0x0020): Config merge error: File /etc/sssd/conf.d/certificate_verification.conf did not pass access check. Skipping.     
Jul  6 07:51:46 master systemd[1]: Started SSSD Kerberos Cache Manager.

Expected results:
Fix the merge error.

Additional info:
Comment 1 Sumit Bose 2023-07-06 12:13:44 UTC 
Hi,

as mentioned in man sssd.conf "The snippet files require the same owner and permissions as sssd.conf. Which are by default root:root and 0600.", please check ownership and permissions of /etc/sssd/conf.d/certificate_verification.conf.

bye,
Sumit
Comment 2 Sudhir Menon 2023-07-06 12:23:39 UTC 
[root@master ~]# ll  /etc/sssd/conf.d/certificate_verification.conf
-rw-r--r--. 1 root root 52 Jul  6 07:28 /etc/sssd/conf.d/certificate_verification.conf
Comment 3 Sumit Bose 2023-07-06 12:27:06 UTC 
(In reply to Sudhir Menon from comment #2)
> [root@master ~]# ll  /etc/sssd/conf.d/certificate_verification.conf
> -rw-r--r--. 1 root root 52 Jul  6 07:28 /etc/sssd/conf.d/certificate_verification.conf

  -rw-------.

is expected.
Comment 4 Alexey Tikhonov 2023-07-10 09:38:02 UTC 
I wonder if this is a duplicate of bz 2211511?
Comment 5 Sumit Bose 2023-07-10 11:43:38 UTC 
(In reply to Alexey Tikhonov from comment #4)
> I wonder if this is a duplicate of bz 2211511?

Hi,

I think there is a fair chance since the same config file name is used in the STIG. It looks like the bash backend make sure the permissions are right but I have not seen anything related e.g. in the ansible backened.

Vojtech, can you have a look?

bye,
Sumit
Comment 9 RHEL Program Management 2023-08-15 15:25:07 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
Comment 10 RHEL Program Management 2023-08-15 15:34:07 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues.