Bug 584810

Summary: non-root client cannot use remote driver without chmod o+x /etc/pki/CA
Product: Red Hat Enterprise Linux 6 Reporter: Daniel Berrangé <berrange>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED CURRENTRELEASE QA Contact: Miroslav Vadkerti <mvadkert>
Severity: low Docs Contact:
Priority: low    
Version: 6.0CC: danken, hateya, hbrock, mvadkert, sgrubb
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl-1.0.0-2.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 581823 Environment:
Last Closed: 2010-11-10 21:17:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 581271, 581275, 581823    

Description Daniel Berrangé 2010-04-22 13:33:22 UTC 
+++ This bug was initially created as a clone of Bug #581823 +++

Description of problem:
By default, openssl sets /etc/pki/CA to be browsable only by root. libvirt's remote client wants to read /etc/pki/CA/cacert.pem in order to connect to remote libvirtd over tls. this is not permitted if done by non-root.

Version-Release number of selected component (if applicable):
libvirt-client-0.8.0-1.el6.x86_64 openssl-1.0.0-1.el6.x86_64

How reproducible:
always

--- Additional comment from pm-rhel on 2010-04-13 07:42:55 EDT ---

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 1 Daniel Berrangé 2010-04-22 13:35:39 UTC 
The /etc/pki/CA/ directory is used to hold the CA certificates & CRL. This data is not security sensitive, so restricting its access to root is not appropriate AFAICT & should be -rwxr-xr-x.  The sensitive data (ie CA private key) is in /etc/pki/CA/private/ which clearly does need to be -rwx-----

cf path usage described in http://kbase.redhat.com/faq/docs/DOC-15601
Comment 5 Miroslav Vadkerti 2010-08-05 08:48:35 UTC 
VERIFIED as fixed in openssl-1.0.0-4.el6.

With openssl-1.0.0-4.el6:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   PASS   ] :: Running 'ls -ld /etc/pki/CA/ | awk '{print $1}' &> /tmp/tmp.uvtfOALbcR'
:: [   PASS   ] :: File '/tmp/tmp.uvtfOALbcR' should contain 'rwxr-xr-x'
:: [   LOG    ] :: Duration: 0s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: Test


With openssl-1.0.0-0.14.beta4.1.el6:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
ls: cannot access /etc/pki/CA/: No such file or directory
:: [   PASS   ] :: Running 'ls -ld /etc/pki/CA/ | awk '{print $1}' &> /tmp/tmp.XviSog6pp2'
ls: cannot access /etc/pki/CA/: No such file or directory
:: [   FAIL   ] :: File '/tmp/tmp.XviSog6pp2' should contain 'rwxr-xr-x'
Comment 6 releng-rhel@redhat.com 2010-11-10 21:17:29 UTC 
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.