Bug 1702488
| Summary: | python-twisted-core expected file permissions in package don't match final runtime permissions | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ryan Mullett <rmullett> |
| Component: | python-twisted-core | Assignee: | Lumír Balhar <lbalhar> |
| Status: | CLOSED ERRATA | QA Contact: | Dita Stehlikova <dstehlik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.6 | CC: | dstehlik, hhorak, lbalhar, pviktori, vdanek |
| Target Milestone: | rc | Keywords: | Patch |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause: Different file permissions in RPM and runtime for /usr/lib64/python2.7/site-packages/twisted/plugins/dropin.cache
Consequence: STIG audit might fail
Fix: Fixed permissions in RPM
Result: Problem fixed
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-31 19:47:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1716961 | ||
|
Description
Ryan Mullett
2019-04-23 22:23:38 UTC
The file /usr/lib64/python2.7/site-packages/twisted/plugins/dropin.cache is in RPM created by touch and has permissions 644 but the same file is regenerated in %post section with 755 permissions. That's the reason why there are different permissions set in RPM package and after its installation. Assuming that the permissions are set correctly by the script in %post section (because it uses Twisted internals), I've created a patch to change permissions to the same level for the empty file after it's created in %install phase. This bug can be easily fixed for RHEL 7.8. https://src.osci.redhat.com/fork/lbalhar/rpms/python-twisted-core/c/3936407f993cca5099c25298fb60b222c4d30816?branch=rhel-7.7 Scratch build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=21959000 I did a test with reproducer after an upgrade and also fresh install and both look good. Just from curiosity, the file permissions can be also set in the %files section:
-%ghost %{python_sitearch}/twisted/plugins/dropin.cache
+%attr(0755,root,root) %ghost %{python_sitearch}/twisted/plugins/dropin.cache
Not sure whether there is a real difference in the result, when done it in %install section.
Anyway, it would be better to have a comment in the spec why the special permissions are needed.
(In reply to Honza Horak from comment #7) > Just from curiosity, the file permissions can be also set in the %files > section: > > -%ghost %{python_sitearch}/twisted/plugins/dropin.cache > +%attr(0755,root,root) %ghost %{python_sitearch}/twisted/plugins/dropin.cache > > Not sure whether there is a real difference in the result, when done it in > %install section. I didn't know about this. %attr solution might look cleaner but the classic chmod solution is also pretty common. > Anyway, it would be better to have a comment in the spec why the special > permissions are needed. The comment is there. Do you think it might seem incomplete? https://src.osci.redhat.com/rpms/python-twisted-core/blob/rhel-7.8/f/python-twisted-core.spec#_91 I don't think that any kind of special test is needed here because the problem was discovered by `rpm -V`. It might make sense to check all RPMs with that command? Lukáši, what do you mean about it? Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1065 |