Bug 1373646 - tzdata-update uses default umask
Summary: tzdata-update uses default umask
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: glibc
Version: 6.8
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Florian Weimer
QA Contact: Sergey Kolosov
Mark Flitter
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-06 21:04 UTC by Paulo Andrade
Modified: 2020-05-14 15:18 UTC (History)
10 users (show)

Fixed In Version: glibc-2.12-1.195.el6
Doc Type: Bug Fix
Doc Text:
Fix for tzdata-update inheriting an unusable umask When updating /etc/localtime, tzdata-update applies the current process umask to determine the file permissions. If the umask is a restrictive value, such as 077, the new /etc/localtime file may not be readable by non-root users. To resolve this, tzdata-update now sets the permissions to rw-r--r-- (0644) unconditionally.
Clone Of:
Environment:
Last Closed: 2017-03-21 10:38:14 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2787791 None None None 2016-11-30 16:25:40 UTC
Red Hat Product Errata RHSA-2017:0680 normal SHIPPED_LIVE Moderate: glibc security and bug fix update 2017-03-21 12:36:34 UTC

Description Paulo Andrade 2016-09-06 21:04:51 UTC
tzdata-update was rewritten in a Red Hat patch
(glibc-rh1200555.patch) but it misses a feature of
the old tzdata-update that was the chunk:

---8<---
  long int sret;
  sret = INTERNAL_SYSCALL (fchmod, err, 2, fd, 0644);
  if (INTERNAL_SYSCALL_ERROR_P (sret, err))
    goto clean_up;
---8<---

  So, depending of the umask set (e.g. 0077), it may
create a /etc/localtime that is unreadable by non root
users.

  Test case should be simple, just set the umask and
run /usr/sbin/tzdata-update.

Comment 2 Florian Weimer 2016-09-07 10:00:58 UTC
Agreed, we should restore the fchmod call.

Comment 4 Florian Weimer 2016-09-15 11:34:51 UTC
The Lua version of tzdata-update in the tzdata package is not affected because RPM resets the umask to 022:

[root@lenovo-thinkstation-01 ~]# rm -f  /etc/localtime
[root@lenovo-thinkstation-01 ~]# rpm -e --nodeps tzdata
[root@lenovo-thinkstation-01 ~]# (umask 077; rpm -i tzdata-2016c-1.el6.noarch.rpm)
warning: tzdata-2016c-1.el6.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
[root@lenovo-thinkstation-01 ~]# ls -l /etc/localtime
-rw-r--r--. 1 root root 3519 Sep 15 07:32 /etc/localtime

[root@lenovo-thinkstation-01 ~]# rm -f  /etc/localtime
[root@lenovo-thinkstation-01 ~]# (umask 077; yum reinstall tzdata-2016c-1.el6.noarch.rpm)
…
Installed:
  tzdata.noarch 0:2016c-1.el6

Complete!
[root@lenovo-thinkstation-01 ~]# ls -l /etc/localtime
-rw-r--r--. 1 root root 3519 Sep 15 07:33 /etc/localtime

Comment 8 errata-xmlrpc 2017-03-21 10:38:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0680.html


Note You need to log in before you can comment on or make changes to this bug.