Bug 1545372 - [SPEC] rpm -V failures
Summary: [SPEC] rpm -V failures
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: systemd
Version: 7.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: David Tardon
QA Contact: Frantisek Sumsal
URL:
Whiteboard:
: 1572717 1671327 (view as bug list)
Depends On:
Blocks: 1716963 1719445
TreeView+ depends on / blocked
 
Reported: 2018-02-14 18:35 UTC by Frantisek Kluknavsky
Modified: 2020-03-31 20:02 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-31 20:02:09 UTC
Target Upstream Version:


Attachments (Terms of Use)
Patch to correct the specfile (1.20 KB, patch)
2019-04-26 16:55 UTC, Kyle Walker
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:1117 0 None None None 2020-03-31 20:02:49 UTC

Description Frantisek Kluknavsky 2018-02-14 18:35:18 UTC
Description of problem:
Permissions of a few files in freshly installed rhel 7.5 snap 3 do not match rpm database.

Version-Release number of selected component (if applicable):
http://download.eng.brq.redhat.com/rel-eng/RHEL-7.5-20180208.1/compose/Server/x86_64/
systemd-219-55.el7

How reproducible:
Seems 100%

Steps to Reproduce:
1. rpm -Va

Actual results:
.M.......  g /boot/initramfs-3.10.0-845.el7.x86_64.img
.M.......  c /etc/machine-id
.M.......  g /etc/udev/hwdb.bin
.M.......  g /var/lib/systemd/random-seed
[and more ...]

Expected results:
The same report as in 7.4 or less, not more failures. 

Additional info:
Look into the future and see audit tools screaming, certifications burning, people in despair...

Comment 2 Jan Synacek 2018-02-15 11:59:00 UTC
How is this a systemd problem?

Comment 3 Lukáš Nykrýn 2018-02-15 12:29:31 UTC
I think that there was no change in systemd that caused it. Same privileges are on rhel-7.4 as well. But the behaviour of rpm -V is different

Comment 4 Frantisek Kluknavsky 2018-02-15 14:36:48 UTC
Yes, in both 7.4 and 7.5 the real /etc/machine-id permissions are 444 and rpm database says 644. Systemd did not change between 7.4 and 7.5, rpm -V changed. I would still say it is a problem with systemd, simply because those files are owned by systemd.rpm. Or, at least I would expect systemd maintainers to know if this is intended and help reassign the report to the proper place. Pretty please, give me a hint if you know. Systemd-machine-id-setup, which is... still systemd? Anaconda?

It is quite invasive since every artifact based on rhel-7.5 which goes through a few basic checks must have these checks fixed.

Comment 5 Andrew Schorr 2018-05-30 17:46:05 UTC
I filed a bug about this against rpm (see closed bug #1583796), and the rpm maintainer Panu Matilainen said "please file bugs on the affected packages,
those %ghost permissions should be updated to match reality."

So please fix the systemd rpm spec file to set the correct permissions:

sh-4.2# rpm --verify -q systemd
.M.......  c /etc/machine-id
.M.......  g /etc/udev/hwdb.bin
.M.......  g /var/lib/systemd/random-seed
.M....G..  g /var/log/journal
sh-4.2# rpm -qlv systemd | egrep '/etc/machine-id|/etc/udev/hwdb.bin|/var/lib/systemd/random-seed|/var/log/journal'
-rw-r--r--    1 root    root                        0 Apr 11 03:36 /etc/machine-id
-rw-r--r--    1 root    root                        0 Apr 11 03:36 /etc/udev/hwdb.bin
-rw-r--r--    1 root    root                        0 Apr 11 03:36 /var/lib/systemd/random-seed
drwxr-xr-x    2 root    root                        0 Apr 11 03:36 /var/log/journal
sh-4.2# ls -ld /etc/machine-id /etc/udev/hwdb.bin /var/lib/systemd/random-seed /var/log/journal
-r--r--r--. 1 root root                 33 Feb 24 10:55 /etc/machine-id
-r--r--r--  1 root root            7780559 May 19 17:37 /etc/udev/hwdb.bin
-rw-------. 1 root root               1024 May 28 10:35 /var/lib/systemd/random-seed
drwxr-sr-x+ 3 root systemd-journal      60 Apr  4 13:00 /var/log/journal

It seems that rpm was patched between 7.4 and 7.5 to start reporting these inconsistencies.

Thanks,
Andy

Comment 6 Andrew Schorr 2018-12-06 16:48:14 UTC
In 7.6 (systemd-219-62.el7.x86_64), 3 of the 4 are fixed, but this one is still wrong:

sh-4.2# rpm --verify -q systemd
.M....G..  g /var/log/journal
sh-4.2# rpm -qlv systemd | fgrep /var/log/journal
drwxr-xr-x    2 root    root                        0 Oct 30 19:31 /var/log/journal
sh-4.2# ls -ld /var/log/journal
drwxr-sr-x+ 3 root systemd-journal 60 Apr  4  2018 /var/log/journal

Regards,
Andy

Comment 7 David Tardon 2019-01-31 13:18:13 UTC
*** Bug 1572717 has been marked as a duplicate of this bug. ***

Comment 8 David Tardon 2019-01-31 15:35:30 UTC
*** Bug 1671327 has been marked as a duplicate of this bug. ***

Comment 9 David Tardon 2019-01-31 15:37:36 UTC
Citing from bug 1671327 comment 2:

> .M....G..  g /var/log/journal
> 
> [root@localhost ~]# ls -ld /var/log/journal
> drwxr-sr-x+ 3 root systemd-journal 46 Jan 29 13:18 /var/log/journal

The SGID comes from a tmpfiles.d snippet:

# grep 2755 /usr/lib/tmpfiles.d/systemd.conf
z /run/log/journal 2755 root systemd-journal - -
z /var/log/journal 2755 root systemd-journal - -
z /var/log/journal/%m 2755 root systemd-journal - -

It is set so that everyone in the systemd-journal group gets access to the journal files. Also, systemd-journald itself then doesn't have to care about file permissions and doesn't have to do possible user/group lookups, which in turn (depending on the nsswitch.conf) might cause other services to use the journal, which would result in a deadlock.

Comment 10 Kyle Walker 2019-04-26 12:08:37 UTC
*** Bug 1671327 has been marked as a duplicate of this bug. ***

Comment 11 Kyle Walker 2019-04-26 16:55:02 UTC
Created attachment 1559288 [details]
Patch to correct the specfile

@David,

This is a bug. The tmpfiles configuration sets the file permissions to 2755 for /var/log/journal/ and subdirectories. 

    %ghost %dir %{_localstatedir}/log/journal

We need to change the definition in the specfile to the following to make sure it matches what is intended. On top of that, we will need to add the "%verify(not mode)" since extended ACLs are not currently supported [^1].

    %ghost %dir %attr(2755, root, systemd-journal) %verify(not mode) %{_localstatedir}/log/journal


Without this change, STIG compliance validation will fail after a reboot for the following high priority check [^2]. The reason why this is just now a problem is that rpm previously, incorrectly, didn't check %ghost attributes. This was investigated and corrected in later releases [^3].

With this patch included, I conducted the following test:

    # rpm -q systemd
    # rpm -V systemd
    # mkdir /var/log/journal
    # rpm -V systemd
    # systemctl reboot
    # rpm -V systemd

Results:

    # rpm -q systemd
    systemd-219-64.el7.rhbz1545372.x86_64
    
    # rpm -V systemd
    # mkdir /var/log/journal
    # rpm -V systemd
    ......G..  g /var/log/journal
    # systemctl reboot
    # rpm -V systemd


Without the above patch, the verification fails before and after the reboot when you create the /var/log/journal directory.

[^1]: 1184126 – RFE: support setting ACLs on packaged directories - https://bugzilla.redhat.com/show_bug.cgi?id=1184126
[^2]: https://rhel7stig.readthedocs.io/en/latest/high.html#v-71849-the-file-permissions-ownership-and-group-membership-of-system-files-and-commands-must-match-the-vendor-values-rhel-07-010010
[^3]: 1406611 – [RFE] Add 'rpm --noconfig' option to ignore %config files during 'rpm -Va' - https://bugzilla.redhat.com/show_bug.cgi?id=1406611

Comment 17 errata-xmlrpc 2020-03-31 20:02:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1117


Note You need to log in before you can comment on or make changes to this bug.