Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1577525 - Incorrect permissions on IPA-installed files when UMASK not default
Summary: Incorrect permissions on IPA-installed files when UMASK not default
Keywords:
Status: CLOSED DUPLICATE of bug 1485217
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: 28
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: IPA Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-12 18:16 UTC by Jan
Modified: 2018-05-14 14:47 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-14 14:47:25 UTC
Type: Bug


Attachments (Terms of Use)

Description Jan 2018-05-12 18:16:29 UTC
Description of problem:
When installing FreeIPA on a system where UMASK is non-default removing rwx access to "other", one can not log in to the IPA server web portal due to incorrect permissions on IPA-installed certificates and other content.

Version-Release number of selected component (if applicable):
4.6.90.pre1-6.1.fc28

How reproducible:
permanent issue, if UMASK was incorrect during installation

Steps to Reproduce:
1. change UMASK to 0007 ("umask 0007")
2. install IPA normally (I used a script with the command line "/usr/sbin/ipa-server-install --mkhomedir --no-ntp --idstart=20000 --idmax=39999 --no-ui-redirect")
3. open a browser and navigate to https://<hostname>/ipa/ui and log in.

Actual results:
The login fails due to an "unknown reason".  Apache access_log provides an HTTP 500 error.  error_log states that one of the files cannot be accessed (e.g. /var/lib/ipa-client/pki/ca-bundle.pem).  Changing permissions will yield the next file on the next attempt.

Expected results:
When running an automation routine like ipa-server-install, it shall take care of setting file permissions itself and shall not rely on a system's UMASK to do it.

Additional info:
Regression:
Installing the shipped version of FreeIPA on a system with the above UMASK worked on Fedora 26, but stopped working on Fedora 27 (however, I did not investigate the reasons back then, but remained on F26 instead).

Comment 1 Rob Crittenden 2018-05-14 14:47:25 UTC

*** This bug has been marked as a duplicate of bug 1485217 ***


Note You need to log in before you can comment on or make changes to this bug.