Bug 1691544 - rootless unable to access subscription
Summary: rootless unable to access subscription
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: subscription-manager
Version: 8.0
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: 8.1
Assignee: Jiri Hnidek
QA Contact: Red Hat subscription-manager QE Team
URL:
Whiteboard:
Depends On: 1690514 1718384
Blocks: 1186913 1718915 1691543 1710564 1734574
TreeView+ depends on / blocked
 
Reported: 2019-03-21 20:59 UTC by Qian Cai
Modified: 2019-11-05 22:16 UTC (History)
21 users (show)

Fixed In Version: subscription-manager-1.25.11-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1690514
: 1710564 (view as bug list)
Environment:
Last Closed: 2019-11-05 22:15:36 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github candlepin subscription-manager pull 2084 'None' closed 1710564: Make entitlement certs and keys world-readable 2020-04-02 09:42:11 UTC
Red Hat Product Errata RHBA-2019:3561 None None None 2019-11-05 22:15:59 UTC

Comment 1 Chris Snyder 2019-03-22 15:53:17 UTC
Was the last step "subscription-manager ?:  chmod o+r /etc/pki/entitlement/1939799096719564946-key.pem" necessary for you to successfully access your subscription?

My suspicion is that the issue in access to the subscription was that podman was not mounting the directory to which we expect entitlements to be written to from the host.
As such I highly doubt there is anything that should be changed in subscription-manager.

We shouldn't be making the entitlement certs accessible to all others. They should remain readable by root only.

Comment 2 Qian Cai 2019-03-22 16:01:22 UTC
(In reply to Chris Snyder from comment #1)
> Was the last step "subscription-manager ?:  chmod o+r
> /etc/pki/entitlement/1939799096719564946-key.pem" necessary for you to
> successfully access your subscription?

Yes, it is necessary.

Comment 3 Daniel Walsh 2019-03-22 16:39:52 UTC
If you need the subscription key file in order to install packages inside of a RHEL container, 
then in order to use it for rootless users, it needs to be readable by them.
As a compromize could we make it readable to a group.  Say create an imagebuilders group.
Then the admin could add any users to that group to be able to build from it.

I don't think this is an issue with non-rootless containers, since we are actually 
copying the content into the container images at container creation time.

What is the risk of a non privileged user getting access to this file?

Comment 10 Daniel Walsh 2019-04-05 13:25:17 UTC
Ok so we need to get an updated subsriptions-manager package that adds a "packager" group, And then sets the ownership of the certs to 
740 root packager

Comment 12 Daniel Walsh 2019-04-17 20:26:27 UTC
So can we just revert the change made back in 2011 to make this not world readable, and get this into 8.1 release?  Or earlier.

Comment 17 Maxim Burgerhout 2019-05-29 13:07:04 UTC
Was trying this out the other day. I ran into the fact that I both had to o+r the entitlement file, *and* make /var/run/rhsm world writable (for a cert.pid file). Not pretty, but at least it works after. 

This was on a newly deployed VM from Sat65:

buildah unshare
newcontainer=$(buildah from scratch)
scratchmnt=$(buildah mount $newcontainer)
dnf install --installroot $scratchmnt bash
Unable to detect release version (use '--releasever' to specify release version)
Updating Subscription Management repositories.
Unable to read consumer identity
2019-05-29 10:17:47,328 [ERROR] dnf:13951:MainThread @lock.py:152 - [Errno 13] Permission denied: '/var/run/rhsm/cert/var/rhsm/cert.pid'
Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/subscription_manager/lock.py", line 132, in acquire
    f.open()
  File "/usr/lib64/python3.6/site-packages/subscription_manager/lock.py", line 41, in open
    self.fp = open(self.path, 'w')
PermissionError: [Errno 13] Permission denied: '/var/run/rhsm/cert.pid'
could not create lock
2019-05-29 10:17:47,329 [INFO] dnf:13951:MainThread @connection.py:924 - Connection built: host=sat6cast.deployment6.lan port=443 handler=/rhsm auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2019-05-29 10:17:47,330 [INFO] dnf:13951:MainThread @entcertlib.py:131 - certs updated:
Total updates: 0
Found (local) serial# []
Expected (UEP) serial# []
Added (new)
  <NONE>
Deleted (rogue):
  <NONE>
2019-05-29 10:17:47,377 [INFO] dnf:13951:MainThread @connection.py:638 - Response: status=200, request="GET /rhsm/status"
2019-05-29 10:17:47,378 [ERROR] dnf:13951:MainThread @lock.py:152 - [Errno 13] Permission denied: '/var/run/rhsm/cert.pid'
Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/subscription_manager/lock.py", line 132, in acquire
    f.open()
  File "/usr/lib64/python3.6/site-packages/subscription_manager/lock.py", line 41, in open
    self.fp = open(self.path, 'w')
PermissionError: [Errno 13] Permission denied: '/var/run/rhsm/cert.pid'
could not create lock
2019-05-29 10:17:47,379 [INFO] dnf:13951:MainThread @repolib.py:464 - repos updated: Repo updates
Total repo updates: 0
Updated
    <NONE>
Added (new)
    <NONE>
Deleted
    <NONE>
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                             0.0  B/s |   0  B     00:00    
Error: Failed to synchronize cache for repo 'rhel-8-for-x86_64-appstream-rpms'

Comment 18 Maxim Burgerhout 2019-06-02 12:07:22 UTC
Unsure what happened there, but I had some mislabeled files, and relabeling makes the dnf operation work now. There's still an ugly error around cert.pid, but it's no longer blocking.

Comment 23 Rehana 2019-06-27 10:09:24 UTC
Demonstrating the on RHEL8 GA , the entitlement certs were not world readable 
==========================================================================

# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.3.17-1
subscription management rules: 5.35
subscription-manager: 1.23.8-35.el8

[root@kvm-04-guest01 ~]# subscription-manager register --serverurl=subscription.rhsm.stage.redhat.com --baseurl=https://cdn.stage.redhat.com --auto-attach --username=qa@redhat.com
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Password: 
The system has been registered with ID: f6dca38b-932c-4e9a-965b-fa200fca550e
The registered system name is: kvm-04-guest01.lab.eng.rdu2.redhat.com
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux for x86_64
Status:       Subscribed

[root@kvm-04-guest01 ~]# yum repolist
Updating Subscription Management repositories.
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                                                                                                           2.9 MB/s | 8.2 MB     00:02    
Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                                                                                                                              3.6 MB/s | 5.5 MB     00:01    
Last metadata expiration check: 0:00:01 ago on Thursday 27 June 2019 05:51:00 AM EDT.
repo id                                                                                   repo name                                                                                                          status
rhel-8-for-x86_64-appstream-rpms                                                          Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                                           5,702
rhel-8-for-x86_64-baseos-rpms                                                             Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                                                              2,053

[root@kvm-04-guest01 ~]# ll /etc/pki/entitlement/*
-rw-------. 1 root root   3243 Jun 27 05:50 /etc/pki/entitlement/537910463050905418-key.pem
-rw-r--r--. 1 root root 130259 Jun 27 05:50 /etc/pki/entitlement/537910463050905418.pem

^^ notice the file dont have world readable permissions.
switch to a non-root user :

[root@kvm-04-guest01 ~]# su test
[test@kvm-04-guest01 ~]$ yum repolist
Not root, Subscription Management repositories not updated
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                                                                                                           0.0  B/s |   0  B     00:01    
Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                                                                                                                              0.0  B/s |   0  B     00:00    
Failed to synchronize cache for repo 'rhel-8-for-x86_64-appstream-rpms', ignoring this repo.
Failed to synchronize cache for repo 'rhel-8-for-x86_64-baseos-rpms', ignoring this repo.

^^ notice yum repolist failed 

Let's update the subscription-manager to the latest
==================================================

[root@kvm-04-guest01 ~]# yum update subscription-manager --quiet -y

[root@kvm-04-guest01 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.3.17-1
subscription management rules: 5.35
subscription-manager: 1.25.11-1.el8

[root@kvm-04-guest01 ~]# ll /etc/pki/entitlement/*
-rw-------. 1 root root   3243 Jun 27 05:50 /etc/pki/entitlement/537910463050905418-key.pem
-rw-r--r--. 1 root root 130259 Jun 27 05:50 /etc/pki/entitlement/537910463050905418.pem

^^ Notice its not world-readable (as this is earlier entitlement cert that was installed on the system) 

let's refresh and check the permissions 

[root@kvm-04-guest01 ~]# subscription-manager refresh
1 local certificate has been deleted.
All local data refreshed

[root@kvm-04-guest01 ~]# ll /etc/pki/entitlement/*
-rw-r--r--. 1 root root   3243 Jun 27 06:01 /etc/pki/entitlement/1979860778236487299-key.pem
-rw-r--r--. 1 root root 130259 Jun 27 06:01 /etc/pki/entitlement/1979860778236487299.pem

^^ new entitlement cert were downloaded but this time with world-readable permissions.

Observed that with the lastest subscription manager installed, entitlement certs are now world-readable. 

Based on the above observations , moving the bug to verified.

Comment 25 errata-xmlrpc 2019-11-05 22:15:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3561


Note You need to log in before you can comment on or make changes to this bug.