Description of problem: File permissions from the rpm do not match the runtime permissions on several files. This results in mode failures on rpm -Va. Most noticed on systems in which DISA STIG is being performed and file permissions should not be less than the rpm provides or it is considered a finding during an audit. Important for government users and contractors who will be performing DISA STIG. Version-Release number of selected component (if applicable): 389-ds-base-1.3.8.4-23.el7_6.x86_64 How reproducible: Always Steps to Reproduce: 1. # yum install 389-ds-base 2. # rpm -V 389-ds-base (or scan with openscap using DISA STIG, which will perform an rpm -Va) Actual results: The following files have permissions that are more permissive than the rpm provides: /etc/dirsrv /etc/dirsrv/config /etc/dirsrv/schema /var/lib/dirsrv /var/lock/dirsrv Expected results: The file permissions provided via rpm should match the final runtime permissions (or they should be less restrictive on the rpm than the runtime permissions, which would not result in a finding). Additional info: The following output shows what it "should be" according to the rpm, as well as what it "actually is" after the package has been installed. This could be resolved by using the proper permissions in the spec file, so that rpm -Va will not flag on these files, or the actual source files could have permissions changed to match what they are after installation. From rpm: 389-ds-base-1.3.8.4-23.el7_6.x86_64 /etc/dirsrv SHOULD BE: 644 ACTUALLY IS: 775 --------------------------- From rpm: 389-ds-base-1.3.8.4-23.el7_6.x86_64 /etc/dirsrv/config SHOULD BE: 644 ACTUALLY IS: 755 --------------------------- From rpm: 389-ds-base-1.3.8.4-23.el7_6.x86_64 /etc/dirsrv/schema SHOULD BE: 644 ACTUALLY IS: 755 --------------------------- From rpm: 389-ds-base-1.3.8.4-23.el7_6.x86_64 /var/lib/dirsrv SHOULD BE: 755 ACTUALLY IS: 775 --------------------------- From rpm: 389-ds-base-1.3.8.4-23.el7_6.x86_64 /var/lock/dirsrv SHOULD BE: 755 ACTUALLY IS: 770 ---------------------------
Build tested: 389-ds-base-1.3.10.2-1.el7.x86_64 Permission fix is present in package. 'rpm -V 389-ds-base' does not report any discrepancies and permissions of directories are as they should be. Marking as VERIFIED.
Build tested: 389-ds-base-1.3.10.2-3.el7.x86_64 After instance is created, 'rpm -V' reports dicrepancies: # rpm -V 389-ds-base ......G.. /etc/dirsrv .M...UG.. g /var/lock/dirsrv Moving to ASSIGNED.
Conflict with 389-admin was resolved, new version of 389-admin has updated file permissions too. 389-admin-1.46-3.el7dsrv also depends on a newer version of 389-ds-base, so that the dependency resolution is solved automatically: ============================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================= Updating: 389-admin x86_64 1.1.46-3.el7dsrv RHDS-10.6-RHEL-7-DirectoryServer 392 k 389-ds-base x86_64 1.3.10.2-6.el7 rhel7-latest 1.7 M Updating for dependencies: 389-ds-base-libs x86_64 1.3.10.2-6.el7 rhel7-latest 713 k 389-ds-base-snmp x86_64 1.3.10.2-6.el7 rhel7-latest-optional 179 k Transaction Summary ============================================================================================================================================================================= Upgrade 2 Packages (+2 Dependent packages) Total download size: 3.0 M Is this ok [y/d/N]: Marking as VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (389-ds-base bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3894