1113395 – yum verify-all reports problems with permissions but the Current and Original modes are the same.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1113395 - yum verify-all reports problems with permissions but the Current and Original modes are the same.

Summary: yum verify-all reports problems with permissions but the Current and Original...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	yum
Sub Component:
Version:	7.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Valentina Mukhamedzhanova
QA Contact:	Karel Srot
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-06-26 06:00 UTC by Karel Srot
Modified:	2015-03-05 09:04 UTC (History)
CC List:	2 users (show)
Fixed In Version:	yum-3.4.3-119.el7
Doc Type:	Bug Fix
Doc Text:	Cause: run 'yum verify' Consequence: yum reports changes to file permissions, when there aren't any changes Fix: patch Result: the report is correct
Clone Of:	1045415
Environment:
Last Closed:	2015-03-05 09:04:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:0398	0	normal	SHIPPED_LIVE	yum bug fix update	2015-03-05 14:00:27 UTC

Description Karel Srot 2014-06-26 06:00:51 UTC

Should be fixed in 7.1 too. 

yum-3.4.3-118.el7.noarch

==================== Installed Packages ====================
bz1045415pkg.noarch : bz1045415pkg Package
    File: /var/log/bz1045415.log
    Tags: ghost
        Problem:  mode does not match
        Current:  user:wr-, group:-r-, other:-r-
        Original: user:wr-, group:-r-, other:-r-
verify-all done



+++ This bug was initially created as a clone of Bug #1045415 +++

Description of problem:
On a fully patched RHEL 6.5 machine, we can see that a yum verify-all reports problems with permissions but the Current and Original modes are the same.
- It should be noted that this problem exists for earlier versions of RHEL 6 as well as RHEL 5.
- It should also be noted that when comparing a file that was wrongly reported as being different by yum verify-all, yum verify --verify-filenames=<filename> does not report a problem.  This gives you the impression that the function is working, but, based on there first results in this case comment, it can be assumed that the --verify-filenames option never gives a result.
- yum verify --verify-configuration-files=yes appears to report valid results.  The man entry for this option is somewhat misleading, however.  It is written this way:

    --verify-configuration-files=VERIFY_CONFIGURATION_FILES
                        Verify files tagged as configuration files

The --verify-configuration-files option appears to take a Boolean as a parameter, however.  I was surprised to see the results when setting the flag to 'no', as seen below:

[root@test ~]# yum verify --verify-configuration-files=no
Loaded plugins: changelog, downloadonly, product-id, rhnplugin, security, verify
This system is receiving updates from RHN Classic or RHN Satellite.
==================== Installed Packages ====================
libtool-ltdl.x86_64 : Runtime libraries for GNU Libtool Dynamic Module Loader
    File: /usr/lib64/libltdl.so.7.2.1
        Problem:  checksum does not match
        Current:  sha256:387e01927e3ad20def3b1df196d6815ebad7ddd8728dcc7b45ccf59acff8f778
        Original: sha256:45be6f82cd2f3f8118fc27a3c6105c89e543a745f96777ac03327be61f0bce64
                                   --------                                   
        Problem:  size does not match
        Current:   38 k
        Original:  36 k

libunistring.x86_64 : GNU Unicode string library
    File: /usr/lib64/libunistring.so.0.1.2
        Problem:  checksum does not match
        Current:  sha256:d5bb6021ee98db773c811dbdd70523b133f1f91db8ef08dd47e7eab06ec49256
        Original: sha256:e615c4f068f5538478e1de9cb81c366e1acd761991b77ee5ab9174e5dc6bcc83
                                   --------                                   
        Problem:  size does not match
        Current:       1144424 B
        Original:      1142048 B
verify done

- I was also surprised that setting this value to the path of a configuration file yieled the same result as shown above.

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
#yum install yum-plugin-verify
#yum verify-all
# yum verify --verify-filenames=/etc/sysconfig/system-config-firewall
# yum verify --verify-configuration-files=yes
# yum verify --verify-configuration-files=no
# yum verify --verify-configuration-files=/etc/sysctl.conf


Actual results:
I was able to reproduce the this issue. But it did not worked for some commands mentioned below.
# yum verify --verify-configuration-files=yes
# yum verify --verify-configuration-files=no
# yum verify --verify-configuration-files=/etc/sysctl.conf


Expected results:
# yum verify-all 

 File: /var/cache/PackageKit/groups.sqlite
    Tags: ghost
        Problem:  mode does not match            
        Current:  user:wr-, group:-r-, other:-r-  
        Original: user:wr-, group:-r-, other:-r-

-> Current and original mode should differ according to Problem.

Additional info:

--- Additional comment from Valentina Mukhamedzhanova on 2014-03-28 06:07:36 EDT ---

1. Fixed the mode problem in upstream - http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=bb6908d630966d9e385659516c2759c47c0e2ee7, acking.

2. --verify-configuration-files indeed takes a boolean, it actually accepts values 1/0, yes/no, on/off and true/false.

If you run something like 
'yum verify --verify-configuration-files=/etc/sysctl.conf' 
you will get a warning 
'Ignoring bad value "/etc/sysctl.conf" for the option --verify-configuration-files'.

Still, I agree that the help string might be confusing, so I made it a little bit clearer in upstream - http://yum.baseurl.org/gitweb?p=yum-utils.git;a=commitdiff;h=96b3b8824a3095ffaacdd754720003c090981480, please file a bugzilla against yum-utils if you want it to be backported to RHEL6.6.

3. 'yum verify --verify-filenames=<filename>' does not report a problem which 'yum verify-all' does, not because of the '--verify-filenames' option, but because of using 'verify' instead of 'verify-all'.

--- Additional comment from Karel Srot on 2014-04-01 08:59:41 EDT ---

@QE: reproducer
run against some package with ghost files, e.g. prelink

# yum verify-all prelink
prelink.x86_64 : An ELF prelinking utility
    File: /var/lib/prelink/force
    Tags: ghost, configuration, missing ok
        Problem:  file is missing
    File: /var/lib/prelink/full
    Tags: ghost, configuration, missing ok
        Problem:  mode does not match
        Current:  user:wr-, group:-r-, other:-r-
        Original: user:wr-, group:-r-, other:-r-
    File: /var/lib/prelink/quick
    Tags: ghost, configuration, missing ok
        Problem:  mode does not match
        Current:  user:wr-, group:-r-, other:-r-
        Original: user:wr-, group:-r-, other:-r-
    File: /var/log/prelink/prelink.log
    Tags: ghost, configuration, missing ok
        Problem:  mode does not match
        Current:  user:wr-, group:-r-, other:-r-
        Original: user:wr-, group:-r-, other:-r-
verify-all done

Comment 1 Valentina Mukhamedzhanova 2014-08-14 12:09:43 UTC

Patch to apply http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=bb6908d630966d9e385659516c2759c47c0e2ee7

Comment 6 errata-xmlrpc 2015-03-05 09:04:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0398.html

Note You need to log in before you can comment on or make changes to this bug.