RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1485217 - [RFE] Warn or adjust umask if it is too restrictive to break installation
Summary: [RFE] Warn or adjust umask if it is too restrictive to break installation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: François Cami
QA Contact: ipa-qe
URL: https://pagure.io/freeipa/issue/7193
Whiteboard:
: 1523468 1568261 1577525 1585142 (view as bug list)
Depends On:
Blocks: 1500891 1518616 1647919 1707454
TreeView+ depends on / blocked
 
Reported: 2017-08-25 06:50 UTC by Raul Mahiques
Modified: 2023-09-07 18:56 UTC (History)
20 users (show)

Fixed In Version: ipa-4.6.5-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 13:09:02 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1630361 0 unspecified CLOSED PKINIT fails in FIPS mode 2021-02-22 00:41:40 UTC
Red Hat Issue Tracker FREEIPA-7524 0 None None None 2021-12-10 15:25:53 UTC
Red Hat Product Errata RHBA-2019:2241 0 None None None 2019-08-06 13:09:26 UTC

Internal Links: 1630361

Description Raul Mahiques 2017-08-25 06:50:38 UTC 
Description of problem:
If the umask used during the installation is "too restrictive", ie.0027 the installer will complete the installation successfully but at the end it won't work fine, please could you add in the ipa-*-install scripts the umask 0022 to the argument of the command invocation?

Version-Release number of selected component (if applicable):
4.5 or older

How reproducible:
set the umask to something like 0027 and install a client or a server.

Steps to Reproduce:
1. umask 0027
2. ipa-*-install
3. after the installation has finished try to use it normally, certain parts won't work as expected.

Actual results:
The installation claims it has succeeded but the setup doesn't work correctly

Expected results:
The installer sets internall a valid umask when it launches the commands.

Additional info:
Comment 3 Petr Vobornik 2017-09-01 22:19:31 UTC 
Hello, what were the "certain parts" which "won't work as expected"?
Comment 4 Raul Mahiques 2017-09-19 07:51:16 UTC 
i don't have access to the environment now in order to reproduce, but the solution is simply setting the right umask in the installation scripts.
Comment 5 Petr Vobornik 2017-10-13 11:04:50 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7193
Comment 7 Florence Blanc-Renaud 2017-12-08 14:49:23 UTC 
*** Bug 1523468 has been marked as a duplicate of this bug. ***
Comment 8 Florence Blanc-Renaud 2018-01-08 09:55:28 UTC 
When the master is installed with umask 077, the files /etc/ipa/ca.crt and /var/lib/ipa/ra-agent.{key|pem} cannot be read by non-root users. IPA server is running as apache user and cannot read ca.crt, leading to a communication issue with Dogtag. The immediate consequence is that replica installation fails with the following log in the master's /var/log/httpd_error_log:

[...date...] [:error] [pid 9337] ipa: INFO: [xmlserver] host/vm-replica.ipadomain.com: cert_request(u'MII...MJUs6', profile_id=u'caIPAserviceCert', principal=u'ldap/replica.ipadomain.com', add=True, version=u'2.51'): NetworkError
[Fri Jan 05 13:10:44.580527 2018] [:error] [pid 9337] ipa: DEBUG: response: NetworkError: cannot connect to 'https://master.ipadomain.com:443/ca/rest/account/login': [Errno 13] Permission denied
Comment 9 Standa Laznicka 2018-04-19 09:50:50 UTC 
*** Bug 1568261 has been marked as a duplicate of this bug. ***
Comment 16 Rob Crittenden 2018-05-14 14:47:25 UTC 
*** Bug 1577525 has been marked as a duplicate of this bug. ***
Comment 17 Florence Blanc-Renaud 2018-06-14 12:42:27 UTC 
*** Bug 1585142 has been marked as a duplicate of this bug. ***
Comment 27 François Cami 2019-03-13 21:06:52 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/f2e7c3f68b691f180acd201a81fe10c7c1491071
https://pagure.io/freeipa/c/f90a4b9554656c984c8ac47e3503d83fb52d0b1f
Comment 28 Florence Blanc-Renaud 2019-03-14 14:00:19 UTC 
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/d37afbcd38a75bb4892c4ce2ef0836feaada23a2
https://pagure.io/freeipa/c/c6e6a7afd3e14cecb3b9d993b4384e8ac301fe9a
ipa-4-7:
https://pagure.io/freeipa/c/270ccca746c4818d4f324f0c166ed53012f87e83
https://pagure.io/freeipa/c/d82388bc6e211b7cb98d629c925e84f06cfb4e71
Comment 30 Nikhil Dehadrai 2019-05-15 09:47:42 UTC 
ipa version: ipa-server-4.6.5-8.el7.x86_64



Verified the bug on the basis of following observations:
1. Verified that when umask is not 0022, then user is prompted with message:
"Unexpected system mask: 0027, expected 0022
Do you want to continue anyway? [yes]:"

2. When umask is set to other value than 0022, then upon agreeing with prompt message, the installation is successful

3. When umask is set to other value than 0022, then upon not agreeing with prompt message, the installation FAILs as expected.

4. Upon revising the umask value back to '0022', the user is not prompted with message and ipa-server installation is successful

5. For Replica, when umask is set to anything other than 0022, then replica installation fails, with error message:
[root@kvm-01-guest02 ~]# /usr/sbin/ipa-replica-install -U --setup-ca --setup-dns --forwarder=x.x.x.x --ip-address=x.x.x.x -P admin -w Secret123
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipapython.admintool: ERROR    Unexpected system mask: 0027, expected 0022
ipapython.admintool: ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information



Logs on IPA Master:
----------------------
ipa-server-4.6.5-8.el7.x86_64

[root@auto-hv-01-guest07 ~]# umask
0022
[root@auto-hv-01-guest07 ~]# umask 0027
[root@auto-hv-01-guest07 ~]# umask
0027
[root@auto-hv-01-guest07 ~]# ipa-server-install 
Unexpected system mask: 0027, expected 0022
Do you want to continue anyway? [yes]: yes

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure the KDC to enable PKINIT






[root@auto-hv-01-guest07 ~]# tail -1 /var/log/ipaserver-install.log 
2019-05-15T08:27:36Z INFO The ipa-server-install command was successful
[root@auto-hv-01-guest07 ~]# kinit admin
Password for admin: 
[root@auto-hv-01-guest07 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin

Valid starting       Expires              Service principal
05/15/2019 04:36:01  05/16/2019 04:35:59  krbtgt/ND14MAY.PNQ
[root@auto-hv-01-guest07 ~]# 
[root@auto-hv-01-guest07 ~]# kdestroy
[root@auto-hv-01-guest07 ~]# klist
klist: Credentials cache keyring 'persistent:0:0' not found
[root@auto-hv-01-guest07 ~]# ipa user-add --first test --last user tuser
Full name: 
ipa: ERROR: Could not get Full name interactively
[root@auto-hv-01-guest07 ~]# ipa user-add --first=test --last=user tuser
Full name: tuser
ipa: ERROR: did not receive Kerberos credentials
[root@auto-hv-01-guest07 ~]# kinit admin
Password for admin: 
[root@auto-hv-01-guest07 ~]# ipa user-add --first=test --last=user tuser --password
Password: 
Enter Password again to verify: 
------------------
Added user "tuser"
------------------
  User login: tuser
  First name: test
  Last name: user
  Full name: test user
  Display name: test user
  Initials: tu
  Home directory: /home/tuser
  GECOS: test user
  Login shell: /bin/sh
  Principal name: tuser
  Principal alias: tuser
  User password expiration: 20190515083728Z
  Email address: tuser
  UID: 701600001
  GID: 701600001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
[root@auto-hv-01-guest07 ~]# ipa user-add --first=test --last=user
User login [tuser]: 
ipa: ERROR: user with name "tuser" already exists
[root@auto-hv-01-guest07 ~]# ipa user-add --first=test --last=user
User login [tuser]: tuser1
-------------------
Added user "tuser1"
-------------------
  User login: tuser1
  First name: test
  Last name: user
  Full name: test user
  Display name: test user
  Initials: tu
  Home directory: /home/tuser1
  GECOS: test user
  Login shell: /bin/sh
  Principal name: tuser1
  Principal alias: tuser1
  Email address: tuser1
  UID: 701600003
  GID: 701600003
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@auto-hv-01-guest07 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@auto-hv-01-guest07 ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@auto-hv-01-guest07 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@auto-hv-01-guest07 ~]# 
[root@auto-hv-01-guest07 ~]# ipa-server-install --uninstall -U


[root@auto-hv-01-guest07 ~]# rpm -q ipa-server
ipa-server-4.6.5-8.el7.x86_64
[root@auto-hv-01-guest07 ~]# tail -1 /var/log/ipaserver-install.log 
2019-05-15T09:19:34Z INFO The ipa-server-install command was successful
[root@auto-hv-01-guest07 ~]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@auto-hv-01-guest07 ~]# umask
0022


Thus on the basis of above observations, marking status to 'VERIFIED'.
Comment 32 errata-xmlrpc 2019-08-06 13:09:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241
Note You need to log in before you can comment on or make changes to this bug.