Red Hat Bugzilla – Bug 1161209
[DOC] [Admin] [3.5][async 3.4]Need important permission details for rhevm and rhev-h in the rhevm admin guide.
Last modified: 2015-03-22 20:46:47 EDT
Description of problem: Need important permission details for rhevm and rhev-h in the rhevm admin guide as mostly the people in the govt sector changing the permission to 077 for the whole OS without knowing the impact of it Version-Release number of selected component (if applicable): rhevm-3.4 rhel hosts Actual results: Current no details available in the webadmin portal regarding the important files, certs and its permissions. Expected results: Need some proper documentations for files, certs and permissions.
(In reply to Udayendu Sekhar Kar from comment #0) > Description of problem: > Need important permission details for rhevm and rhev-h in the rhevm admin > guide as mostly the people in the govt sector changing the permission to 077 > for the whole OS without knowing the impact of it > > Version-Release number of selected component (if applicable): > rhevm-3.4 > rhel hosts > > Actual results: > Current no details available in the webadmin portal regarding the important > files, certs and its permissions. > > Expected results: > Need some proper documentations for files, certs and permissions. Hi Uday, Thanks for filing this bug. Just a quick reminder that documentation bugs should be filed against the 'Guides' component and not 'rhevm-doc'. Filing bugs against the wrong component may cause delays in bugs to get addressed. So my understanding is that default permission for /etc/pki/ovirt-engine/ is 644, but because it wasn't called out, users from the government sector may change it to 077 because of the instructions in their security guide. A reminder should be added to the Admin or Install Guide to remind users that the CA directory should remain 644 to avoid a connection 500 error. Please let me know if anything else needs to be added as part of this bug. Extracted comment from the support case: ######## I have good news. The problem has been identified and corrected. An individual from another group had had the same problem with their RHEV environment after changing the umask to 077. The issue is with the certs in /etc/pki/ovirt-engine/. Several of these certs ended up being generated with 600 permissions. Once I changed them to 644, the console display problem went a way. While I believe that these are generated on the file and the specific file names are not that important, these are the 6 files that I changed: chmod 644 0C.pem chmod 644 01.pem chmod 644 02.pem chmod 644 ca.der chmod 644 engine.cer chmod 644 engine.der I used my lab environment which has never had the umask 077 applied to identify the problem files. Perhaps a documentation RFE would be useful. There are many government clients that will blindly apply lockdown recommendations from the STIG guide. If they are applying the umask 077 across the board (instead of just applying it to the default and overriding it in the root profile), this problem and a dozen other mask related issues will likely cause them problems. ###### Cheers, Julie
Hi Julie, The permission for /etc/pki/ovirt-engine/ directory should be 755 as its a directory with the ownership and group ownership to ovirt. --==-- # ls -ld /etc/pki/ovirt-engine/ drwxr-xr-x. 6 ovirt ovirt 4096 Oct 23 16:32 /etc/pki/ovirt-engine/ --==-- Same permission is for the /etc/pki/CA directory but the ownership & group ownership is there with root. --==-- # ls -ld /etc/pki/CA drwxr-xr-x. 6 root root 4096 Oct 16 20:39 /etc/pki/CA --==-- So its better to add a node that **DONT CHANGE** any permission for "/etc/pki" directory. Because there are many files and directories in this location should have the proper permission, ownership & group ownership to make keep the rhevm environment working. The whole "/etc/pki" directory is important. Cheers, Uday
Thanks Uday. Same change has been applied to 3.4. Pending publication.