Bug 1182304 - incorrect specification of ghost file mlocate.db in mlocate package
Summary: incorrect specification of ghost file mlocate.db in mlocate package
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: mlocate
Version: 6.6
Hardware: All
OS: All
unspecified
low
Target Milestone: rc
: ---
Assignee: Michal Sekletar
QA Contact: Stefan Kremen
URL:
Whiteboard:
Depends On:
Blocks: 1182306 1182307 1185798
TreeView+ depends on / blocked
 
Reported: 2015-01-14 20:17 UTC by Paulo Andrade
Modified: 2019-04-16 14:31 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: mlocate package wrongly claimed that its database file has owner:group equal to root:root and permission are 644. However database file is not shipped in rpm package it self and it is created with root:slocate 640 permissions. Consequence: Openscap tools are reporting this problem. Fix: Adjusted permissions in mlocate spec file. Result: Openscap tools should not issue warnings and rpm database will reflect actual state of database file on the system.
Clone Of:
: 1185798 (view as bug list)
Environment:
Last Closed: 2015-03-12 09:00:38 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0676 normal SHIPPED_LIVE mlocate bug fix update 2015-03-12 13:00:18 UTC

Description Paulo Andrade 2015-01-14 20:17:59 UTC
The mlocate rpm correctly defines mlocate.db to be a ghost file. However it is incorrectly stated that this file is owned by group root and that the mode is 644. When updatedb runs it creates the files with group slocate and mode 640.
This leads to rpm verification errors, which lead to failed compliance checks.

This bug may be present in other RHEL versions as well.

A simple mlocate.spec pseudo patch would be:

-%ghost %{_localstatedir}/lib/mlocate/mlocate.db
+%ghost %attr(0640,root,slocate) %{_localstatedir}/lib/mlocate/mlocate.db

Comment 2 Michal Sekletar 2015-01-15 08:40:39 UTC
For rhel-6.7 there will be fastrack errata for mlocate. I think this bug is suitable for inclusion in that errata.

Comment 6 Stefan Kremen 2015-01-28 16:20:54 UTC
Hi Paulo,

I am unable to reproduce the bug. All tested stable systems (rhel 5, 6 and 7) showed correct permissions 640 even before applying this patch and running "rpm --verify mlocate" didn't complain.

Even after permissions have been changed manually to 644 the "rpm --verify mlocate" didn't complain a bit.

Would you please state what rhel, rpm and mlocate versions were you able to see this problem?

Thank you, Stefan

Comment 7 Paulo Andrade 2015-01-28 18:14:32 UTC
Hi Stefan,

I asked the customer. I believe it should be some custom
tool.

At least in rhel-6 and rhel-7, I could not find a way
to force "rpm -V" to even consider checking ghost files.

I can think of some script that would use "rpm -ql --dump"
and compare with actual files, but could not find
anything related.

Comment 8 Stefan Kremen 2015-01-29 12:52:51 UTC
(In reply to Paulo Andrade from comment #7)
> I can think of some script that would use "rpm -ql --dump"

Hi Paulo, thank you for suggesting this, it was helpful and I am now able to get the reproducer:

# rpm -ql --dump mlocate | grep -E "^/var/lib/mlocate/mlocate\.db.*644 root root.*$"
/var/lib/mlocate/mlocate.db 0 1348490607 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 0100644 root root 0 0 0 X

Comment 10 Paulo Andrade 2015-01-29 15:32:06 UTC
Hi Stefan,

Quoting the reply from the customer

"""
the issue was flagged by openscap runs. I then compared the output of rpm -qlv with the actual permissions in the filesystem. E.g:

# rpm -qlv mlocate
[...]
drwxr-x---    2 root    slocate                     0 Sep 24  2012 /var/lib/mlocate
-rw-r--r--    1 root    root                        0 Sep 24  2012 /var/lib/mlocate/mlocate.db

# ls -al /var/lib/mlocate
total 1424
drwxr-x---.  2 root slocate    4096 Jan 29 03:22 .
drwxr-xr-x. 34 root root       4096 Jan  8 18:20 ..
-rw-r-----.  1 root slocate 1448261 Jan 29 03:22 mlocate.db

As you can see the rpm requires permissions 0644 and root:root ownership, while the uodatedb command will create the file with permissions 0640 and ownership root:slocate.
"""

Comment 12 errata-xmlrpc 2015-03-12 09:00:38 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0676.html


Note You need to log in before you can comment on or make changes to this bug.