1506910 – File Permission set to 666 or 777(world writable files) on the yum cache files, these are reverted even after changing [rhel-7.4.z]

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1506910 - File Permission set to 666 or 777(world writable files) on the yum cache files, these are reverted even after changing [rhel-7.4.z]

Summary: File Permission set to 666 or 777(world writable files) on the yum cache file...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	rhnsd
Sub Component:
Version:	7.4
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Tomáš Kašpárek
QA Contact:	Pavel Studeník
Docs Contact:
URL:
Whiteboard:
Depends On:	1489989
Blocks:
TreeView+	depends on / blocked

Reported:	2017-10-27 07:09 UTC by Oneata Mircea Teodor
Modified:	2021-06-10 13:22 UTC (History)
CC List:	12 users (show)
Fixed In Version:	rhnsd-5.0.13-7.3-el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1489989
Environment:
Last Closed:	2017-11-30 16:05:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:3323	0	normal	SHIPPED_LIVE	rhnsd bug fix update	2017-11-30 20:19:24 UTC

Description Oneata Mircea Teodor 2017-10-27 07:09:31 UTC

This bug has been copied from bug #1489989 and has been proposed to be backported to 7.4 z-stream (EUS).

Comment 3 Tomáš Kašpárek 2017-10-30 06:46:11 UTC


*** This bug has been marked as a duplicate of bug 1480306 ***

Comment 4 Tomáš Kašpárek 2017-10-30 06:58:15 UTC


*** This bug has been marked as a duplicate of bug 1489119 ***

Comment 5 Ron van der Wees 2017-10-31 08:56:38 UTC

(In reply to Tomáš Kašpárek from comment #3)
> 
> *** This bug has been marked as a duplicate of bug 1480306 ***

Reopening as I do *not* think this is a duplicate.
 
bz 1480306 and its z-stream bz 1489119 contains a fix to change the
permissions of the rhnsd.pid file but the process is still running with umask
set to 0.

This causes the sub processes to run with that same umask and thus the
rhn_check.pid but also the yum cache files are still world writeable!

From the latest available version:

# rpm -q rhnsd
rhnsd-5.0.13-7.1.el7_4.x86_64

# ls -la /run/rhn_check.pid 
-rwxrwxrwx. 1 root root 5 Oct 31 09:00 /run/rhn_check.pid
 ^^^^^^^^^                                  ^^^^^^^^^^^^^


# find /var/cache/yum -ls | grep "rw-rw-rw-"
4194886    4 -rw-rw-rw-   1 root     root          153 Oct 26 11:18 /var/cache/yum/x86_64/7Server/rhnplugin.repos
13350241 168916 -rw-rw-rw-   1 root     root     172966464 Oct 20 11:08 /var/cache/yum/x86_64/7Server/rhel-x86_64-server-7/gen/primary.xml
8451468    4 -rw-rw-rw-   1 root     root           15 Oct 26 11:18 /var/cache/yum/x86_64/7Server/rhel-x86_64-server-7/rhnversion
8451489    4 -rw-rw-rw-   1 root     root         1545 Oct 20 11:08 /var/cache/yum/x86_64/7Server/rhel-x86_64-server-7/repomd.xml
8451498    0 -rw-rw-rw-   1 root     root            0 Oct 26 11:18 /var/cache/yum/x86_64/7Server/rhel-x86_64-server-7/cachecookie
8451499  620 -rw-rw-rw-   1 root     root       634462 Oct 26 11:18 /var/cache/yum/x86_64/7Server/rhel-x86_64-server-7/comps.xml
8451500 2156 -rw-rw-rw-   1 root     root      2203757 Oct 20 11:08 /var/cache/yum/x86_64/7Server/rhel-x86_64-server-7/updateinfo.xml.gz
             ^^^^^^^^^^
...

Comment 8 Pavel Studeník 2017-11-08 14:19:44 UTC

Verified with rhnsd-5.0.13-7.3.el7_4.x86_64.rpm

Reproducer:

>> ls -la /run/rhn_check.pid 
-rwxr-xr-x. 1 root root 5  8. lis 06.09 /run/rhn_check.pid


rhnsd-5.0.13-7.1.el7_4.x86_64

1. only rhnsd has to run (no osad, rhn_check)
2. remove yum cache:
 >> rm -rf /var/cache/yum/x86_64/
3. create event for install or update package by webui
4. wait for rhnsd pick up task

All files repomd.xml have set "-rw-rw-rw-" file mode.

Comment 11 errata-xmlrpc 2017-11-30 16:05:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:3323

Comment 12 John Langbein 2018-07-17 17:48:10 UTC

This issue still exists in RHEL6 with rhnsd.x86_64 5.0.25-1.el6. Please fix

Comment 13 Tomas Lestach 2018-07-18 11:45:09 UTC

(In reply to John Langbein from comment #12)
> This issue still exists in RHEL6 with rhnsd.x86_64 5.0.25-1.el6. Please fix

Please open a ticket with Red Hat Support to open a RHEL6 BZ, if you see any issues. Based on my info this problem was never introduced in RHEL6 and the last released rhnsd version in RHEL6 is: rhnsd-4.9.3-6.el6

Comment 14 Tomáš Kašpárek 2018-07-18 11:48:44 UTC

(In reply to John Langbein from comment #12)
> This issue still exists in RHEL6 with rhnsd.x86_64 5.0.25-1.el6. Please fix

Judging by the rhnsd version you're using Spacewalk, this is Red Hat Satellite bugzilla so this bugzilla is not the best place to ask for Spacewalk fix ;-)

For Spacewalk this issue was fixed in rhnsd-5.0.32-1

Note You need to log in before you can comment on or make changes to this bug.