1477545 – Upgrade of dhcpd always breaks permissions

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1477545 - Upgrade of dhcpd always breaks permissions

Summary: Upgrade of dhcpd always breaks permissions

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Installation
Sub Component:
Version:	6.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	Unspecified
Assignee:	Eric Helms
QA Contact:	Lukas Pramuk
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-02 11:27 UTC by Lukas Zapletal
Modified:	2022-04-01 18:30 UTC (History)
CC List:	16 users (show)
Fixed In Version:	foreman-installer-1.15.5
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-02-21 17:11:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	20683	High	Closed	Upgrade of dhcpd always breaks permissions	2021-01-04 18:30:58 UTC
Foreman Issue Tracker	21419	Normal	Closed	Reverse logic of setfacl_etc_dhcp and setfacl_var_lib_dhcp	2021-01-04 18:30:24 UTC
Red Hat Knowledge Base (Solution)	3137221	None	None	None	2017-08-07 15:56:15 UTC

Description Lukas Zapletal 2017-08-02 11:27:47 UTC

We need to set

setfacl -R -m u:foreman:rwx /etc/dhcp /var/lib/dhcpd

via our puppet installer instead of modifying standard UNIX owner and permissions. Overtime dhcp package is upgraded, RPM returns the original permission and owner which leads to DHCP issues (foreman-proxy is unable to modify files).

We should keep the old UNIX method and add setfacl as additional step, it will not work on filesystems without FACL, in that case skip it.

Comment 10 Lukas Zapletal 2017-08-07 14:18:01 UTC

Nagoor, I can confirm my typo. The correct form is indeed:

setfacl -R -m u:foreman-proxy:rwx /etc/dhcp /var/lib/dhcpd

Comment 15 Eric Helms 2017-08-21 18:32:00 UTC

Created redmine issue http://projects.theforeman.org/issues/20683 from this bug

Comment 16 Satellite Program 2017-09-06 14:05:40 UTC

Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/20683 has been resolved.

Comment 17 Lukas Pramuk 2017-10-20 17:24:10 UTC

FailedQA.

@satellite-6.3.0-21.0.beta.el7sat.noarch
foreman-installer-1.15.6.1-1.el7sat.noarch

# getfacl -p /etc/dhcp /var/lib/dhcpd
# file: /etc/dhcp
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

# file: /var/lib/dhcpd
# owner: dhcpd
# group: dhcpd
user::rwx
group::r-x
other::r-x


>>> no special acl set on the dhcp directories

Comment 18 Eric Helms 2017-10-20 21:04:49 UTC

Lukas,

Do you have both --foreman-proxy-dhcp and --foreman-proxy-dhcp-managed set to true? Be warned, this will enable DHCP server and management so you need to do it in an isolated network. These are not true in a default installation for that reason. The management of DHCP ACLs are only relevant in the case that DHCP is being managed by the Capsule so you will not see this present without the above. Flipping back to ON_QA for further analysis.

Comment 19 Lukas Pramuk 2017-10-22 09:35:13 UTC

Eric,

Yes I have Internal Capsule having DHCP, DNS, Discovery, Dynflow, Openscap, Pulp, Puppet, Puppet CA, SSH, and TFTP features

# satellite-installer -h | grep -E "dhcp( |-manage)"
    --foreman-proxy-dhcp          Enable DHCP feature (current: true)
    --foreman-proxy-dhcp-manage-acls  Whether to manage DHCP directory ACLs. This allows the Foreman Proxy user to access even if the directory mode is 0750. (current: true)
    --foreman-proxy-dhcp-managed  DHCP is managed by Foreman proxy (current: true)

Comment 20 Lukas Pramuk 2017-10-22 11:26:16 UTC

setfacl installer code is working but with reverse logic, see: 

1. Set ACL
# setfacl -R -m u:foreman-proxy:rx /var/lib/dhcpd /etc/dhcp

# satellite-installer -v 
...
[ WARN 2017-10-22 06:48:16 verbose]  /Stage[main]/Foreman_proxy::Proxydhcp/Exec[setfacl_etc_dhcp]/returns: executed successfully
[ WARN 2017-10-22 06:48:16 verbose]  /Stage[main]/Dhcp/Concat[/etc/dhcp/dhcpd.conf]/File[/etc/dhcp/dhcpd.conf]/mode: mode changed '0654' to '0644'
[ INFO 2017-10-22 06:48:16 verbose]  Concat[/etc/dhcp/dhcpd.conf]: Scheduling refresh of Service[dhcpd]
...

>>> when acl is present installer sets it !!!

2. Remove ACL
# setfacl -R -x u:foreman-proxy /var/lib/dhcpd /etc/dhcp

# satellite-installer -v 
...
<no exec of setfacl_etc_dhcp>
... 

>>> when acl is not set installer doesn't set it !!!

Comment 21 Lukas Pramuk 2017-10-22 11:33:52 UTC

While setfacl_var_lib_dhcp has typo!!! 

onlyif  => "getfacl -p /var/lib/dhcp | grep user:${::foreman_proxy::user}:r-x"

>>> /var/lib/dhcp doesn't exist it should be /var/lib/dhcpd

Comment 22 Lukas Pramuk 2017-11-01 16:01:37 UTC

VERIFIED.

@satellite-6.3.0-21.0.beta.el7sat.noarch
foreman-installer-1.15.6.4-1.el7sat.noarch


1. Have a capsule with DHCP feature, i.e. all these installer options are enabled

# satellite-installer -h | grep -E "dhcp( |-manage)"
    --foreman-proxy-dhcp          Enable DHCP feature (current: true)
    --foreman-proxy-dhcp-manage-acls  Whether to manage DHCP directory ACLs. This allows the Foreman Proxy user to access even if the directory mode is 0750. (current: true)
    --foreman-proxy-dhcp-managed  DHCP is managed by Foreman proxy (current: true)

2. Check for file ACLs of dhcp files (after installation)

# getfacl -p /etc/dhcp /var/lib/dhcpd
# file: /etc/dhcp
# owner: root
# group: root
user::rwx
user:foreman-proxy:r-x    <<< OK
group::r-x
mask::r-x
other::r-x

# file: /var/lib/dhcpd
# owner: dhcpd
# group: dhcpd
user::rwx
user:foreman-proxy:r-x    <<< OK
group::r-x
mask::r-x
other::r-x

>>> foreman will be able to access dhcp files

Comment 23 Lukas Pramuk 2017-11-01 16:05:28 UTC

Wait, comment#0 and comment#10 are talking about rwx for foreman-proxy and I se just r-x

So foreman won't be able to modify/write to dhcp files. Is write access needed?

Comment 24 Lukas Zapletal 2017-11-02 10:23:29 UTC

Yes, only read access for all DHCP files is needed as Foreman calls "omapi" tool to do the updates as external process and I believe this talks to the server via network.

Comment 25 Bryan Kearney 2018-02-21 17:11:08 UTC

Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336

Comment 26 Lukas Zapletal 2018-05-18 11:34:15 UTC

For googlers, the correct command is again:

setfacl -R -m u:foreman-proxy:rx /etc/dhcp /var/lib/dhcpd

No write permission needed!

Note You need to log in before you can comment on or make changes to this bug.