1691544 – rootless unable to access subscription

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1691544 - rootless unable to access subscription

Summary: rootless unable to access subscription

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	8.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	8.1
Assignee:	Jiri Hnidek
QA Contact:	Red Hat subscription-manager QE Team
Docs Contact:
URL:
Whiteboard:
Depends On:	1690514 1718384
Blocks:	1186913 1691543 1710564 1718915 1734574
TreeView+	depends on / blocked

Reported:	2019-03-21 20:59 UTC by Qian Cai
Modified:	2020-11-14 10:25 UTC (History)
CC List:	21 users (show)
Fixed In Version:	subscription-manager-1.25.11-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1690514
Clones:	1710564 1927920 (view as bug list)
Environment:
Last Closed:	2019-11-05 22:15:36 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	candlepin subscription-manager pull 2084	0	'None'	closed	1710564: Make entitlement certs and keys world-readable	2021-02-11 20:03:48 UTC
Red Hat Product Errata	RHBA-2019:3561	0	None	None	None	2019-11-05 22:15:59 UTC

Comment 1 Chris Snyder 2019-03-22 15:53:17 UTC

Was the last step "subscription-manager ?:  chmod o+r /etc/pki/entitlement/1939799096719564946-key.pem" necessary for you to successfully access your subscription?

My suspicion is that the issue in access to the subscription was that podman was not mounting the directory to which we expect entitlements to be written to from the host.
As such I highly doubt there is anything that should be changed in subscription-manager.

We shouldn't be making the entitlement certs accessible to all others. They should remain readable by root only.

Comment 2 Qian Cai 2019-03-22 16:01:22 UTC

(In reply to Chris Snyder from comment #1)
> Was the last step "subscription-manager ?:  chmod o+r
> /etc/pki/entitlement/1939799096719564946-key.pem" necessary for you to
> successfully access your subscription?

Yes, it is necessary.

Comment 3 Daniel Walsh 2019-03-22 16:39:52 UTC

If you need the subscription key file in order to install packages inside of a RHEL container, 
then in order to use it for rootless users, it needs to be readable by them.
As a compromize could we make it readable to a group.  Say create an imagebuilders group.
Then the admin could add any users to that group to be able to build from it.

I don't think this is an issue with non-rootless containers, since we are actually 
copying the content into the container images at container creation time.

What is the risk of a non privileged user getting access to this file?

Comment 10 Daniel Walsh 2019-04-05 13:25:17 UTC

Ok so we need to get an updated subsriptions-manager package that adds a "packager" group, And then sets the ownership of the certs to 
740 root packager

Comment 12 Daniel Walsh 2019-04-17 20:26:27 UTC

So can we just revert the change made back in 2011 to make this not world readable, and get this into 8.1 release?  Or earlier.

Comment 17 Maxim Burgerhout 2019-05-29 13:07:04 UTC

Was trying this out the other day. I ran into the fact that I both had to o+r the entitlement file, *and* make /var/run/rhsm world writable (for a cert.pid file). Not pretty, but at least it works after. 

This was on a newly deployed VM from Sat65:

buildah unshare
newcontainer=$(buildah from scratch)
scratchmnt=$(buildah mount $newcontainer)
dnf install --installroot $scratchmnt bash
Unable to detect release version (use '--releasever' to specify release version)
Updating Subscription Management repositories.
Unable to read consumer identity
2019-05-29 10:17:47,328 [ERROR] dnf:13951:MainThread @lock.py:152 - [Errno 13] Permission denied: '/var/run/rhsm/cert/var/rhsm/cert.pid'
Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/subscription_manager/lock.py", line 132, in acquire
    f.open()
  File "/usr/lib64/python3.6/site-packages/subscription_manager/lock.py", line 41, in open
    self.fp = open(self.path, 'w')
PermissionError: [Errno 13] Permission denied: '/var/run/rhsm/cert.pid'
could not create lock
2019-05-29 10:17:47,329 [INFO] dnf:13951:MainThread @connection.py:924 - Connection built: host=sat6cast.deployment6.lan port=443 handler=/rhsm auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2019-05-29 10:17:47,330 [INFO] dnf:13951:MainThread @entcertlib.py:131 - certs updated:
Total updates: 0
Found (local) serial# []
Expected (UEP) serial# []
Added (new)
  <NONE>
Deleted (rogue):
  <NONE>
2019-05-29 10:17:47,377 [INFO] dnf:13951:MainThread @connection.py:638 - Response: status=200, request="GET /rhsm/status"
2019-05-29 10:17:47,378 [ERROR] dnf:13951:MainThread @lock.py:152 - [Errno 13] Permission denied: '/var/run/rhsm/cert.pid'
Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/subscription_manager/lock.py", line 132, in acquire
    f.open()
  File "/usr/lib64/python3.6/site-packages/subscription_manager/lock.py", line 41, in open
    self.fp = open(self.path, 'w')
PermissionError: [Errno 13] Permission denied: '/var/run/rhsm/cert.pid'
could not create lock
2019-05-29 10:17:47,379 [INFO] dnf:13951:MainThread @repolib.py:464 - repos updated: Repo updates
Total repo updates: 0
Updated
    <NONE>
Added (new)
    <NONE>
Deleted
    <NONE>
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                             0.0  B/s |   0  B     00:00    
Error: Failed to synchronize cache for repo 'rhel-8-for-x86_64-appstream-rpms'

Comment 18 Maxim Burgerhout 2019-06-02 12:07:22 UTC

Unsure what happened there, but I had some mislabeled files, and relabeling makes the dnf operation work now. There's still an ugly error around cert.pid, but it's no longer blocking.

Comment 23 Rehana 2019-06-27 10:09:24 UTC

Demonstrating the on RHEL8 GA , the entitlement certs were not world readable 
==========================================================================

# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.3.17-1
subscription management rules: 5.35
subscription-manager: 1.23.8-35.el8

[root@kvm-04-guest01 ~]# subscription-manager register --serverurl=subscription.rhsm.stage.redhat.com --baseurl=https://cdn.stage.redhat.com --auto-attach --username=qa
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Password: 
The system has been registered with ID: f6dca38b-932c-4e9a-965b-fa200fca550e
The registered system name is: kvm-04-guest01.lab.eng.rdu2.redhat.com
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux for x86_64
Status:       Subscribed

[root@kvm-04-guest01 ~]# yum repolist
Updating Subscription Management repositories.
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                                                                                                           2.9 MB/s | 8.2 MB     00:02    
Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                                                                                                                              3.6 MB/s | 5.5 MB     00:01    
Last metadata expiration check: 0:00:01 ago on Thursday 27 June 2019 05:51:00 AM EDT.
repo id                                                                                   repo name                                                                                                          status
rhel-8-for-x86_64-appstream-rpms                                                          Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                                           5,702
rhel-8-for-x86_64-baseos-rpms                                                             Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                                                              2,053

[root@kvm-04-guest01 ~]# ll /etc/pki/entitlement/*
-rw-------. 1 root root   3243 Jun 27 05:50 /etc/pki/entitlement/537910463050905418-key.pem
-rw-r--r--. 1 root root 130259 Jun 27 05:50 /etc/pki/entitlement/537910463050905418.pem

^^ notice the file dont have world readable permissions.
switch to a non-root user :

[root@kvm-04-guest01 ~]# su test
[test@kvm-04-guest01 ~]$ yum repolist
Not root, Subscription Management repositories not updated
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                                                                                                           0.0  B/s |   0  B     00:01    
Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                                                                                                                              0.0  B/s |   0  B     00:00    
Failed to synchronize cache for repo 'rhel-8-for-x86_64-appstream-rpms', ignoring this repo.
Failed to synchronize cache for repo 'rhel-8-for-x86_64-baseos-rpms', ignoring this repo.

^^ notice yum repolist failed 

Let's update the subscription-manager to the latest
==================================================

[root@kvm-04-guest01 ~]# yum update subscription-manager --quiet -y

[root@kvm-04-guest01 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.3.17-1
subscription management rules: 5.35
subscription-manager: 1.25.11-1.el8

[root@kvm-04-guest01 ~]# ll /etc/pki/entitlement/*
-rw-------. 1 root root   3243 Jun 27 05:50 /etc/pki/entitlement/537910463050905418-key.pem
-rw-r--r--. 1 root root 130259 Jun 27 05:50 /etc/pki/entitlement/537910463050905418.pem

^^ Notice its not world-readable (as this is earlier entitlement cert that was installed on the system) 

let's refresh and check the permissions 

[root@kvm-04-guest01 ~]# subscription-manager refresh
1 local certificate has been deleted.
All local data refreshed

[root@kvm-04-guest01 ~]# ll /etc/pki/entitlement/*
-rw-r--r--. 1 root root   3243 Jun 27 06:01 /etc/pki/entitlement/1979860778236487299-key.pem
-rw-r--r--. 1 root root 130259 Jun 27 06:01 /etc/pki/entitlement/1979860778236487299.pem

^^ new entitlement cert were downloaded but this time with world-readable permissions.

Observed that with the lastest subscription manager installed, entitlement certs are now world-readable. 

Based on the above observations , moving the bug to verified.

Comment 25 errata-xmlrpc 2019-11-05 22:15:36 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3561

Note You need to log in before you can comment on or make changes to this bug.

akostadi
atomic-bugs
bcourt
cdonnell
csnyder
dornelas
dwalsh
gscrivan
imcleod
jhnidek
jligon
jsefler
lsm5
mburgerh
mheon
mmcgrath
pthomas
redakkan
rjerrido
smccarty
thoger