Bug 1710564

Note to QE:

For the sake of bug 1718362, please also verify the permissions of the certificates and their associated keys are preserved when they are copied to /etc/docker/certs.d/* .

Demonstrating the entitlement cert permissions prior the fix;
===========================================================
# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.3.17-1
subscription management rules: 5.35
subscription-manager: 1.24.6-1.el7

[root@kvm-01-guest19 ~]# subscription-manager list --installed
+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+
Product Name:   Red Hat Enterprise Linux Server
Product ID:     69
Version:        7.7 Beta
Arch:           x86_64
Status:         Not Subscribed
Status Details: Not supported by a valid subscription.
Starts:         
Ends:           

[root@kvm-01-guest19 ~]# subscription-manager attach --auto
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux Server
Status:       Subscribed

# ll /etc/pki/entitlement/
total 40
-rw-------. 1 root root  3243 Jun 21 16:34 2573374906780544159-key.pem
-rw-r--r--. 1 root root 33051 Jun 21 16:34 2573374906780544159.pem

make sure the attached entitlement certificates has type "containerimage" contents in them ( for testing entitlement permissions in /etc/docker/certs.d/* )

# rct cc /etc/pki/entitlement/2573374906780544159.pem | grep "containerimage" -A10 
	Type: containerimage
	Name: Red Hat Enterprise Linux 7 Server - Beta (Containers)
	Label: rhel-7-server-beta-container
	Vendor: Red Hat
	URL: /content/beta/rhel/server/7/x86_64/containers
	GPG: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

[root@kvm-01-guest19 ~]# ll -R /etc/docker/certs.d/*
/etc/docker/certs.d/access.redhat.com:
total 40
-rw-r--r--. 1 root root 33051 Jun 21 16:34 2573374906780544159.cert
-rw-------. 1 root root  3243 Jun 21 16:34 2573374906780544159.key

/etc/docker/certs.d/cdn.redhat.com:
total 44
-rw-r--r--. 1 root root 33051 Jun 21 16:34 2573374906780544159.cert
-rw-------. 1 root root  3243 Jun 21 16:34 2573374906780544159.key
-rw-r--r--. 1 root root  2305 May  9 17:01 redhat-entitlement-authority.crt

/etc/docker/certs.d/registry.access.redhat.com:
total 40
-rw-r--r--. 1 root root 33051 Jun 21 16:34 2573374906780544159.cert
-rw-------. 1 root root  3243 Jun 21 16:34 2573374906780544159.key

/etc/docker/certs.d/registry.redhat.io:
total 40
-rw-r--r--. 1 root root 33051 Jun 21 16:34 2573374906780544159.cert
-rw-------. 1 root root  3243 Jun 21 16:34 2573374906780544159.key

^ Notice the entitlement certs keys were not readable for all

Verifying the subscription-manager fix: 
========================================

Note: RHSM QE is only verifying the subscription-manager side fix (i.e the permission changes on the entitlement files ) in order to verify this bug.

[root@ibm-ls22-01 cdn.redhat.com]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.3.17-1
subscription management rules: 5.35
subscription-manager: 1.24.12-1.el7

[root@ibm-ls22-01 cdn.redhat.com]# rpm -qa subscription-manager --changelog | grep 1710564
- 1710564: Make entitlement certs and keys world-readable (csnyder)

[root@ibm-ls22-01 cdn.redhat.com]# ll /etc/pki/entitlement/*
-rw-r--r--. 1 root root  3243 Jun 21 09:55 /etc/pki/entitlement/3890760403304945180-key.pem
-rw-r--r--. 1 root root  8323 Jun 21 09:55 /etc/pki/entitlement/3890760403304945180.pem
-rw-r--r--. 1 root root  3243 Jun 21 09:55 /etc/pki/entitlement/5079388093691356815-key.pem
-rw-r--r--. 1 root root 33034 Jun 21 09:55 /etc/pki/entitlement/5079388093691356815.pem

[root@ibm-ls22-01 cdn.redhat.com]# ll -R /etc/docker/certs.d/*
/etc/docker/certs.d/access.redhat.com:
total 56
-rw-r--r--. 1 root root  8323 Jun 21 09:55 3890760403304945180.cert
-rw-r--r--. 1 root root  3243 Jun 21 09:55 3890760403304945180.key
-rw-r--r--. 1 root root 33034 Jun 21 09:55 5079388093691356815.cert
-rw-r--r--. 1 root root  3243 Jun 21 09:55 5079388093691356815.key

/etc/docker/certs.d/cdn.redhat.com:
total 60
-rw-r--r--. 1 root root  8323 Jun 21 09:55 3890760403304945180.cert
-rw-r--r--. 1 root root  3243 Jun 21 09:55 3890760403304945180.key
-rw-r--r--. 1 root root 33034 Jun 21 09:55 5079388093691356815.cert
-rw-r--r--. 1 root root  3243 Jun 21 09:55 5079388093691356815.key
-rw-r--r--. 1 root root  2305 Jun 19 16:42 redhat-entitlement-authority.crt

/etc/docker/certs.d/redhat.com:
total 0
lrwxrwxrwx. 1 root root 27 Jun 21 07:37 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem

/etc/docker/certs.d/redhat.io:
total 0
lrwxrwxrwx. 1 root root 27 Jun 21 07:37 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem

/etc/docker/certs.d/registry.access.redhat.com:
total 56
-rw-r--r--. 1 root root  8323 Jun 21 09:55 3890760403304945180.cert
-rw-r--r--. 1 root root  3243 Jun 21 09:55 3890760403304945180.key
-rw-r--r--. 1 root root 33034 Jun 21 09:55 5079388093691356815.cert
-rw-r--r--. 1 root root  3243 Jun 21 09:55 5079388093691356815.key
lrwxrwxrwx. 1 root root    27 Jun 21 07:37 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem

/etc/docker/certs.d/registry.redhat.io:
total 56
-rw-r--r--. 1 root root  8323 Jun 21 09:55 3890760403304945180.cert
-rw-r--r--. 1 root root  3243 Jun 21 09:55 3890760403304945180.key
-rw-r--r--. 1 root root 33034 Jun 21 09:55 5079388093691356815.cert
-rw-r--r--. 1 root root  3243 Jun 21 09:55 5079388093691356815.key

Notice that ^^ entitlement files are now world readable.

Based on the above observations , moving the bug to verified.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2008

*** Bug 1715228 has been marked as a duplicate of this bug. ***