1710564 – rootless unable to access subscription

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1710564 - rootless unable to access subscription

Summary: rootless unable to access subscription

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	7.7
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	candlepin-bugs
QA Contact:	Red Hat subscription-manager QE Team
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1715228 (view as bug list)
Depends On:	1690514 1691544 1718384
Blocks:	1186913 1688348 1691543 1718378
TreeView+	depends on / blocked

Reported:	2019-05-15 19:23 UTC by Chris Snyder
Modified:	2023-12-15 16:30 UTC (History)
CC List:	22 users (show)
Fixed In Version:	subscription-manager-1.25.8-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1691544
Environment:
Last Closed:	2019-08-06 12:57:32 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	candlepin subscription-manager pull 2084	0	None	closed	1710564: Make entitlement certs and keys world-readable	2021-02-04 09:01:14 UTC
Red Hat Product Errata	RHBA-2019:2008	0	None	None	None	2019-08-06 12:57:43 UTC

Comment 6 Chris Snyder 2019-06-19 18:00:45 UTC

Note to QE:

For the sake of bug 1718362, please also verify the permissions of the certificates and their associated keys are preserved when they are copied to /etc/docker/certs.d/* .

Comment 7 Rehana 2019-06-21 13:48:20 UTC

Demonstrating the entitlement cert permissions prior the fix;
===========================================================
# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.3.17-1
subscription management rules: 5.35
subscription-manager: 1.24.6-1.el7

[root@kvm-01-guest19 ~]# subscription-manager list --installed
+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+
Product Name:   Red Hat Enterprise Linux Server
Product ID:     69
Version:        7.7 Beta
Arch:           x86_64
Status:         Not Subscribed
Status Details: Not supported by a valid subscription.
Starts:         
Ends:           

[root@kvm-01-guest19 ~]# subscription-manager attach --auto
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux Server
Status:       Subscribed

# ll /etc/pki/entitlement/
total 40
-rw-------. 1 root root  3243 Jun 21 16:34 2573374906780544159-key.pem
-rw-r--r--. 1 root root 33051 Jun 21 16:34 2573374906780544159.pem

make sure the attached entitlement certificates has type "containerimage" contents in them ( for testing entitlement permissions in /etc/docker/certs.d/* )

# rct cc /etc/pki/entitlement/2573374906780544159.pem | grep "containerimage" -A10 
	Type: containerimage
	Name: Red Hat Enterprise Linux 7 Server - Beta (Containers)
	Label: rhel-7-server-beta-container
	Vendor: Red Hat
	URL: /content/beta/rhel/server/7/x86_64/containers
	GPG: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

[root@kvm-01-guest19 ~]# ll -R /etc/docker/certs.d/*
/etc/docker/certs.d/access.redhat.com:
total 40
-rw-r--r--. 1 root root 33051 Jun 21 16:34 2573374906780544159.cert
-rw-------. 1 root root  3243 Jun 21 16:34 2573374906780544159.key

/etc/docker/certs.d/cdn.redhat.com:
total 44
-rw-r--r--. 1 root root 33051 Jun 21 16:34 2573374906780544159.cert
-rw-------. 1 root root  3243 Jun 21 16:34 2573374906780544159.key
-rw-r--r--. 1 root root  2305 May  9 17:01 redhat-entitlement-authority.crt

/etc/docker/certs.d/registry.access.redhat.com:
total 40
-rw-r--r--. 1 root root 33051 Jun 21 16:34 2573374906780544159.cert
-rw-------. 1 root root  3243 Jun 21 16:34 2573374906780544159.key

/etc/docker/certs.d/registry.redhat.io:
total 40
-rw-r--r--. 1 root root 33051 Jun 21 16:34 2573374906780544159.cert
-rw-------. 1 root root  3243 Jun 21 16:34 2573374906780544159.key

^ Notice the entitlement certs keys were not readable for all

Comment 8 Rehana 2019-06-21 14:05:41 UTC

Verifying the subscription-manager fix: 
========================================

Note: RHSM QE is only verifying the subscription-manager side fix (i.e the permission changes on the entitlement files ) in order to verify this bug.

[root@ibm-ls22-01 cdn.redhat.com]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.3.17-1
subscription management rules: 5.35
subscription-manager: 1.24.12-1.el7

[root@ibm-ls22-01 cdn.redhat.com]# rpm -qa subscription-manager --changelog | grep 1710564
- 1710564: Make entitlement certs and keys world-readable (csnyder)

[root@ibm-ls22-01 cdn.redhat.com]# ll /etc/pki/entitlement/*
-rw-r--r--. 1 root root  3243 Jun 21 09:55 /etc/pki/entitlement/3890760403304945180-key.pem
-rw-r--r--. 1 root root  8323 Jun 21 09:55 /etc/pki/entitlement/3890760403304945180.pem
-rw-r--r--. 1 root root  3243 Jun 21 09:55 /etc/pki/entitlement/5079388093691356815-key.pem
-rw-r--r--. 1 root root 33034 Jun 21 09:55 /etc/pki/entitlement/5079388093691356815.pem

[root@ibm-ls22-01 cdn.redhat.com]# ll -R /etc/docker/certs.d/*
/etc/docker/certs.d/access.redhat.com:
total 56
-rw-r--r--. 1 root root  8323 Jun 21 09:55 3890760403304945180.cert
-rw-r--r--. 1 root root  3243 Jun 21 09:55 3890760403304945180.key
-rw-r--r--. 1 root root 33034 Jun 21 09:55 5079388093691356815.cert
-rw-r--r--. 1 root root  3243 Jun 21 09:55 5079388093691356815.key

/etc/docker/certs.d/cdn.redhat.com:
total 60
-rw-r--r--. 1 root root  8323 Jun 21 09:55 3890760403304945180.cert
-rw-r--r--. 1 root root  3243 Jun 21 09:55 3890760403304945180.key
-rw-r--r--. 1 root root 33034 Jun 21 09:55 5079388093691356815.cert
-rw-r--r--. 1 root root  3243 Jun 21 09:55 5079388093691356815.key
-rw-r--r--. 1 root root  2305 Jun 19 16:42 redhat-entitlement-authority.crt

/etc/docker/certs.d/redhat.com:
total 0
lrwxrwxrwx. 1 root root 27 Jun 21 07:37 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem

/etc/docker/certs.d/redhat.io:
total 0
lrwxrwxrwx. 1 root root 27 Jun 21 07:37 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem

/etc/docker/certs.d/registry.access.redhat.com:
total 56
-rw-r--r--. 1 root root  8323 Jun 21 09:55 3890760403304945180.cert
-rw-r--r--. 1 root root  3243 Jun 21 09:55 3890760403304945180.key
-rw-r--r--. 1 root root 33034 Jun 21 09:55 5079388093691356815.cert
-rw-r--r--. 1 root root  3243 Jun 21 09:55 5079388093691356815.key
lrwxrwxrwx. 1 root root    27 Jun 21 07:37 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem

/etc/docker/certs.d/registry.redhat.io:
total 56
-rw-r--r--. 1 root root  8323 Jun 21 09:55 3890760403304945180.cert
-rw-r--r--. 1 root root  3243 Jun 21 09:55 3890760403304945180.key
-rw-r--r--. 1 root root 33034 Jun 21 09:55 5079388093691356815.cert
-rw-r--r--. 1 root root  3243 Jun 21 09:55 5079388093691356815.key

Notice that ^^ entitlement files are now world readable.

Based on the above observations , moving the bug to verified.

Comment 10 errata-xmlrpc 2019-08-06 12:57:32 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2008

Comment 11 Rehana 2020-02-27 18:05:35 UTC

*** Bug 1715228 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.

atomic-bugs
avroy
bcourt
bgurney
candlepin-bugs
cdonnell
csnyder
dornelas
dwalsh
gscrivan
imcleod
jligon
jsefler
lsm5
mheon
mmcgrath
qcai
redakkan
rhsm-qe
rjerrido
smccarty
thoger