1564432 – Mismatches in %ghost file modes

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1564432 - Mismatches in %ghost file modes

Summary: Mismatches in %ghost file modes

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ca-certificates
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Bob Relyea
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Duplicates (3):	1571236 1583796 1622251 (view as bug list)
Depends On:
Blocks:	1594286 1845849
TreeView+	depends on / blocked

Reported:	2018-04-06 09:17 UTC by Jan Blazek
Modified:	2024-03-25 15:03 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1845849 (view as bug list)
Environment:
Last Closed:	2020-09-09 19:21:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Jan Blazek 2018-04-06 09:17:52 UTC

Description of problem:

New version of rpm started to report false negative verification errors for packages containing ghost files.

# rpm -q rpm
rpm-4.11.3-25.el7.x86_64
# rpm -V  ca-certificates
# echo $?
0
# rpm -q ca-certificates
ca-certificates-2017.2.14-71.el7.noarch

# rpm -q rpm
rpm-4.11.3-32.el7.x86_64
# rpm -V ca-certificates
.M.......  g /etc/pki/ca-trust/extracted/java/cacerts
.M.......  g /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
.M.......  g /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
.M.......  g /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
.M.......  g /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
# echo $?
1
# rpm -q ca-certificates
ca-certificates-2017.2.14-71.el7.noarch

Comment 2 Panu Matilainen 2018-04-06 09:40:16 UTC

Actually this is not a false negative, it's just that rpm never verified *any* aspects of %ghost files and as a side-effect of bug 1406611 it now does. Mode, which is the failing thing with ca-certificates, is one of the few things of %ghost files that *can* be meaningfully verified. It's ca-certificates whose 
permissions differ between the package and what gets extracted (this is from Fedora package so details might differ, the issue is the same):

[root@sopuli ~]# ls -l /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt-r--r--r--. 1 root root 261947 Feb 21 10:22 /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
[root@sopuli ~]# rpm -qlv ca-certificates|grep /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt|head -1
-rw-r--r--    1 root    root                        0 Feb  6 15:48 /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

And that's why rpm now complains. The problem is that --noghost doesn't work so you can't easily filter it out.

Comment 3 Panu Matilainen 2018-05-30 08:32:14 UTC

See above, not a bug in rpm but intentional behavior change. So it's the affected packages that need fixing, reassigning to ca-certificates.

Comment 4 Panu Matilainen 2018-05-30 08:34:14 UTC

*** Bug 1583796 has been marked as a duplicate of this bug. ***

Comment 5 Kai Engert (:kaie) (inactive account) 2018-06-01 15:32:24 UTC

The differences aren't limited to the file permission.

The sizes differ, too, because we package an empty file. After installation, the file contents is dynamically created based on system configuration. So it's impossible to package the exact state the file will have on the configured system.

I believe you are asking for a fix to the file permission. Currently, one side has "user rw", and the other side has "user r" permissions.

I locally used chmod 644 to change the permissions of the file to the permissions that are used inside the package.

Afterwards, rpm --verify still complains that the file was modified.

Is the request of this bug that "rpm --verify ca-certificates" should return no differences? I think this cannot be achieved.

Comment 6 Andrew Schorr 2018-06-01 17:02:52 UTC

That's strange. I cannot duplicate your result:

bash# rpm --verify -q ca-certificates
.M.......  g /etc/pki/ca-trust/extracted/java/cacerts
.M.......  g /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
.M.......  g /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
.M.......  g /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
.M.......  g /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
bash# chmod 0644 /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
bash# rpm --verify -q ca-certificates
.M.......  g /etc/pki/ca-trust/extracted/java/cacerts
.M.......  g /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
.M.......  g /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
.M.......  g /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Notice that it no longer complains about the file whose mode I fixed.
What do you see?

Regards,
Andy

Comment 7 Kai Engert (:kaie) (inactive account) 2018-06-01 18:39:03 UTC

Thanks for doublechecking. Yes indeed, the one fixed file is no longer being reported as modified, I hadn't looked carefully enough.

I can get that fixed in Rawhide soon. What's the priority to get this fixed elsewhere?

Comment 8 Panu Matilainen 2018-06-04 07:51:55 UTC

(In reply to Kai Engert (:kaie) from comment #5)
> The differences aren't limited to the file permission.
> 
> The sizes differ, too, because we package an empty file. After installation,
> the file contents is dynamically created based on system configuration. So
> it's impossible to package the exact state the file will have on the
> configured system.

Obviously actual content checks, including size, do not make sense for %ghost files and thus they are skipped automatically. However when the file is actually present, mode, user+group can sanely be verified even for %ghost's, and making sure they match between seems like a good thing to avoid eg security-related surprises.

Comment 9 Kai Engert (:kaie) (inactive account) 2018-06-04 13:36:54 UTC

Fixed for Fedora Rawhide 29:
  ca-certificates-2018.2.24-3.fc29
  https://koji.fedoraproject.org/koji/taskinfo?taskID=27414322

Experimental update for Fedora 28:
  ca-certificates-2018.2.24-1.1.fc28
  https://koji.fedoraproject.org/koji/taskinfo?taskID=27414698

Comment 13 Kai Engert (:kaie) (inactive account) 2018-08-13 10:10:06 UTC

*** Bug 1571236 has been marked as a duplicate of this bug. ***

Comment 15 Kai Engert (:kaie) (inactive account) 2018-09-13 18:34:26 UTC

*** Bug 1622251 has been marked as a duplicate of this bug. ***

Comment 19 Andrew Schorr 2018-12-06 17:57:03 UTC

FYI, this is still broken in 7.6:

sh-4.2# rpm -q ca-certificates
ca-certificates-2018.2.22-70.0.el7_5.noarch
sh-4.2# rpm --verify -q ca-certificates
.M.......  g /etc/pki/ca-trust/extracted/java/cacerts
.M.......  g /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
.M.......  g /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
.M.......  g /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
.M.......  g /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
sh-4.2# rpm -qlv ca-certificates | awk '$5 == 0 && $9 ~ /^\/etc\/pki\/ca-trust\/extracted.*(\.pem|crt|cacerts)/'
-rw-r--r--    1 root    root                        0 May 16  2018 /etc/pki/ca-trust/extracted/java/cacerts
-rw-r--r--    1 root    root                        0 May 16  2018 /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-r--r--    1 root    root                        0 May 16  2018 /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
-rw-r--r--    1 root    root                        0 May 16  2018 /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
-rw-r--r--    1 root    root                        0 May 16  2018 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
sh-4.2# rpm -qlv ca-certificates | awk '$5 == 0 && $9 ~ /^\/etc\/pki\/ca-trust\/extracted.*(\.pem|crt|cacerts)/ {print $9}' | xargs ls -ld
-r--r--r-- 1 root root 154279 May 19  2018 /etc/pki/ca-trust/extracted/java/cacerts
-r--r--r-- 1 root root 257889 May 19  2018 /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-r--r--r-- 1 root root 177221 May 19  2018 /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
-r--r--r-- 1 root root      0 May 19  2018 /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
-r--r--r-- 1 root root 211658 May 19  2018 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Regards,
Andy

Comment 20 Simo Sorce 2019-02-11 15:39:48 UTC

This issue was not selected to be included either in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small amount of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

Comment 21 Kyle Walker 2019-04-26 14:19:47 UTC

@Simo,

I'm re-opening this bug report, please feel free to reach out to me directly if you would like to discuss directly. The issue here is actually _not_ a low priority instance. The RPM attributes mismatching result in a High priority STIG compliance issue due to the following:

    https://rhel7stig.readthedocs.io/en/latest/high.html#v-71849-the-file-permissions-ownership-and-group-membership-of-system-files-and-commands-must-match-the-vendor-values-rhel-07-010010

    Warning: The above link is to a source that are not authored by Red Hat directly. As such, Red Hat support cannot verify its accuracy and content.

Any STIG secure environment will fail the above high priority check, which we ship in our oscap-security-guide validation mechanism.

Comment 22 James Ralston 2019-04-26 17:58:06 UTC

(In reply to Kyle Walker from comment #21)
> @Simo,
> 
> I'm re-opening this bug report, please feel free to reach out to me directly
> if you would like to discuss directly. The issue here is actually _not_ a
> low priority instance. The RPM attributes mismatching result in a High
> priority STIG compliance issue due to the following:
> 
>    
> https://rhel7stig.readthedocs.io/en/latest/high.html#v-71849-the-file-
> permissions-ownership-and-group-membership-of-system-files-and-commands-must-
> match-the-vendor-values-rhel-07-010010
> 
>     Warning: The above link is to a source that are not authored by Red Hat
> directly. As such, Red Hat support cannot verify its accuracy and content.
> 
> Any STIG secure environment will fail the above high priority check, which
> we ship in our oscap-security-guide validation mechanism.

Speaking as someone who has been filing Bugzilla bugs and support requests over RPM attribute mismatches for several years now, for the exact same reason (violations of STIG ID RHEL-07-010010, which we are required to care about), I 100% agree.

But the problem is deeper than just a single package:

$ sudo stig-check -s STIG-RHEL7-V2R2 -v
RHEL-07-010010,CAT I,permissions/owner/group-owner of /etc/sssd/sssd.conf differ (.....UG..) from RPM database
RHEL-07-010010,CAT I,permissions/owner/group-owner of /run/lsm differ (.M....G..) from RPM database
RHEL-07-010010,CAT I,permissions/owner/group-owner of /run/lsm/ipc differ (.M....G..) from RPM database
RHEL-07-010010,CAT I,permissions/owner/group-owner of /usr/sbin/netreport differ (.M.......) from RPM database
RHEL-07-010010,CAT I,permissions/owner/group-owner of /usr/sbin/usernetctl differ (.M.......) from RPM database
RHEL-07-010010,CAT I,permissions/owner/group-owner of /var/lib/PackageKit/transactions.db differ (.M.......) from RPM database
RHEL-07-010010,CAT I,permissions/owner/group-owner of /var/lock/iscsi differ (.M.......) from RPM database
RHEL-07-010010,CAT I,permissions/owner/group-owner of /var/lock/iscsi/lock differ (.M.......) from RPM database
RHEL-07-010010,CAT I,permissions/owner/group-owner of /var/log/dmesg differ (.M.......) from RPM database
RHEL-07-010010,CAT I,permissions/owner/group-owner of /var/log/dmesg.old differ (.M.......) from RPM database

(stig-check is a utility we wrote internally, because we needed to be able to perform a scan-load-scan process and diff the results in a consistent and automated manner, and we couldn't figure out how to do that with oscap.)

Depending when in the point release cycle I file the Bugzilla or support request, it can take close to a year to get a mismatched package corrected.

Even worse, Red Hat seems to create new packages with mismatched attributes just as quickly (if not more so) than I can get known packages corrected. For example, sssd was not previously a violation, but RHEL 7.5 updated to sssd-1.16.0-19.el7, which repackaged certain files formerly owned by root:root to sssd:sssd, which will always violate RHEL-07-010010. (/etc/sssd/sssd.conf is packaged as sssd:sssd, but unless it is owned by root:root, sssd refuses to start!)

To give credit where credit is due, out of all Linux distributions, Red Hat Enterprise Linux is probably the best in terms of caring about customers who require SSH and/or STIG compliance. For that, we are grateful.

But there is still much room for improvement here. The fact that Red Hat keeps creating *new* packages with RPM attribute mismatches indicates clearly that either the package QA process doesn't check RPM attributes at all, or else the QA process does check, but no one cares.

Testing for RPM attribute mismatches needs to be a component of the package QA process, and a violation (e.g., your package fails "rpm --verify" once installed/activated on a host) must cause the candidate package to fail the QA process. Then (and only then) will packagers comply, and stop producing packages with RPM attribute mismatches.

Comment 23 Simo Sorce 2019-08-20 08:35:48 UTC

Bob any chance we can include this bug in the ca-certificate rebases planned for Q3 ?

Comment 24 Bob Relyea 2019-08-20 22:43:09 UTC

They aren't in my tree ready to push, but since we haven't got the acks on the required bugs, but I can certainly add them. (Except rhel 7.4 which is already pushed). It was pushed from rhel 7.7 because of QA resources.

Note You need to log in before you can comment on or make changes to this bug.