Bug 584810
Summary: | non-root client cannot use remote driver without chmod o+x /etc/pki/CA | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Daniel Berrangé <berrange> |
Component: | openssl | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Miroslav Vadkerti <mvadkert> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 6.0 | CC: | danken, hateya, hbrock, mvadkert, sgrubb |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openssl-1.0.0-2.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | 581823 | Environment: | |
Last Closed: | 2010-11-10 21:17:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 581271, 581275, 581823 |
Description
Daniel Berrangé
2010-04-22 13:33:22 UTC
The /etc/pki/CA/ directory is used to hold the CA certificates & CRL. This data is not security sensitive, so restricting its access to root is not appropriate AFAICT & should be -rwxr-xr-x. The sensitive data (ie CA private key) is in /etc/pki/CA/private/ which clearly does need to be -rwx----- cf path usage described in http://kbase.redhat.com/faq/docs/DOC-15601 VERIFIED as fixed in openssl-1.0.0-4.el6. With openssl-1.0.0-4.el6: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Test :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'ls -ld /etc/pki/CA/ | awk '{print $1}' &> /tmp/tmp.uvtfOALbcR' :: [ PASS ] :: File '/tmp/tmp.uvtfOALbcR' should contain 'rwxr-xr-x' :: [ LOG ] :: Duration: 0s :: [ LOG ] :: Assertions: 2 good, 0 bad :: [ PASS ] :: RESULT: Test With openssl-1.0.0-0.14.beta4.1.el6: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Test :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ls: cannot access /etc/pki/CA/: No such file or directory :: [ PASS ] :: Running 'ls -ld /etc/pki/CA/ | awk '{print $1}' &> /tmp/tmp.XviSog6pp2' ls: cannot access /etc/pki/CA/: No such file or directory :: [ FAIL ] :: File '/tmp/tmp.XviSog6pp2' should contain 'rwxr-xr-x' Red Hat Enterprise Linux 6.0 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |