Bug 707620

Summary: Umask for user "oracle" on RHEL6 is changed to 0002
Product: Red Hat Satellite 5 Reporter: Dimitar Yordanov <dyordano>
Component: ServerAssignee: Jan Pazdziora <jpazdziora>
Status: CLOSED DEFERRED QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: low Docs Contact:
Priority: low    
Version: 541CC: jpazdziora
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-22 15:06:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 462714    

Description Dimitar Yordanov 2011-05-25 14:27:28 UTC 
Description of problem:
Umask for user "oracle" on RHEL6 is changed to 0002

Version-Release number of selected component (if applicable):
Satellite-5.4.1-RHEL6-re20110521.0-x86_64-embedded-oracle.iso
RHE6 -  x86_64 - Red Hat Enterprise Linux Server release 6.1

How reproducible:
Always

Steps to Reproduce:
1. On RHEL 6 : su - oracle - c "umask"

  
Actual results:
0002
-rw-rw----. 1 oracle dba 104858112 May 24 08:47 /rhnsat/data/rhnsat/redo_1001.log

Expected results:
As on RHEL5 0022
-rw-r-----. 1 oracle dba 104858112 May 24 08:47 /rhnsat/data/rhnsat/redo_1001.log

Additional info:
Comment 1 Jan Pazdziora 2011-05-25 14:59:19 UTC 
On RHEL 5, the umask does not get changed from root's umask at all:

# umask
0021
# su - oracle -c 'umask'
0021

On RHEL 6, it is set to 002 in /etc/profile.
Comment 2 Jan Pazdziora 2011-05-25 15:06:52 UTC 
But the change is not really specific -- you will see the same behaviour for any other system account you create.

Does it cause any harm?
Comment 3 Dimitar Yordanov 2011-05-26 07:11:28 UTC 
Hi Jan, 
 I think there is a potential security issue especially  in the case when RHN-Satellite shares the Oracle Database with other applications and more than one Oracle instance exists.
Let's have the case when every instalce runs under its own ORA_USER* and all  ORA_USER* are in the DBA group.
This means that if there is a security whole in some other application and a malicious user manage to execute some code as ORA_USER* this code can modify RHN-Satellite files as well.

I could be wrong but this is the way I think.
Comment 4 Jan Pazdziora 2013-04-15 11:25:40 UTC 
But we don't support multiple embedded Oracle installations, nor any non-Satellite use of the machine on which the Satellite with embedded Oracle is installed, do we?
Comment 5 Dimitar Yordanov 2013-04-15 11:41:34 UTC 
No, we do not support. I guess I had in mind external oracle but we have no control there.
Comment 6 Jan Pazdziora 2013-04-22 15:06:01 UTC 
We don't have any immediate plans to change the behaviour that RHEL sets as default for one system account that we create and use in Satellite. Closing as such.