Bug 1729215 - cert-fix : detect and prevent pkidbuser being used as --agent-uid
Summary: cert-fix : detect and prevent pkidbuser being used as --agent-uid
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pki-core
Version: 8.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.3
Assignee: Dinesh Prasanth
QA Contact: PKI QE
Florian Delehaye
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-11 15:29 UTC by Geetika Kapoor
Modified: 2019-12-13 18:00 UTC (History)
5 users (show)

Fixed In Version: pki-core-10.6-8010020190723222539.8ba0ffbe
Doc Type: Known Issue
Doc Text:
.Using the `cert-fix` utility with the `--agent-uid pkidbuser` option breaks Certificate System Using the `cert-fix` utility with the `--agent-uid pkidbuser` option corrupts the LDAP configuration of Certificate System. As a consequence, Certificate System might become unstable and manual steps are required to recover the system.
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Description Geetika Kapoor 2019-07-11 15:29:13 UTC
Description of problem:

cert-fix cli if used with pkidbuser as it is part of 'Certificate Manager Agents' group.

If we run : # pki-server cert-fix --ldapi-socket /var/run/slapd-EXAMPLE-COM.socket --agent-uid pkidbuser  --extra-cert 6 --debug 5

here we have put pkidbuser in place of admin so the command fails with :

INFO: Starting the instance
Job for pki-tomcatd@pki-tomcat.service failed because a timeout was exceeded.
See "systemctl status pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.
INFO: Selftests enabled for subsystems: ca
INFO: Restoring previous LDAP configuration
ERROR: Command: systemctl start pki-tomcatd@pki-tomcat.service

Later if we run the right command, System goes in a state that it is not recovered. 

# pki-server cert-fix --ldapi-socket /var/run/slapd-EXAMPLE-COM.socket --agent-uid admin  --extra-cert 6


INFO: Starting the instance
Job for pki-tomcatd@pki-tomcat.service failed because a timeout was exceeded.
See "systemctl status pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details.
INFO: Selftests enabled for subsystems: ca
INFO: Restoring previous LDAP configuration
ERROR: Command: systemctl start pki-tomcatd@pki-tomcat.service


Version-Release number of selected component (if applicable):

RHEL 8.1

How reproducible:

always 

Steps to Reproduce:
1. pki-server cert-fix --ldapi-socket /var/run/slapd-EXAMPLE-COM.socket --agent-uid pkidbuser  --extra-cert 6 --debug 5

Actual results:

System is in a state where password.conf and CS.cfg gets corrupted.
Manual steps needs to be done to recover system as mentioned here :https://bugzilla.redhat.com/show_bug.cgi?id=1696849#c10

Expected results:

In case of failures, system should go back to original state 

Additional info:

Comment 1 Dinesh Prasanth 2019-07-11 20:14:43 UTC
Fixed via PR: https://github.com/dogtagpki/pki/pull/229

verification procedure: As mentioned by OP

Acceptance criteria:
# pki-server cert-fix --agent-uid pkidbuser -i pkitest
ERROR: 'pkidbuser' cannot be used.

Comment 3 Geetika Kapoor 2019-07-30 13:10:55 UTC
This currently works based on checking for a particular username which is pkidbuser.
if while configuring we change the default value of pkidbuser which we can set using : pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA

AS a user if i have configured with pkidbuser1. this fix will no longer works.

IMO in place of just looking for a particular user in code it's better to check based on group permissions for that user.

Comment 4 Dinesh Prasanth 2019-07-30 14:32:49 UTC
@Geetika,

The current solution will reduce the chances of messing up the PKI/IPA environment. 

Your suggestion may require more analysis before implementation. Since we have it documented, that `pkidbuser` should not be used, I am leaning towards moving the efforts to 8.2 or 8.3.

Comment 6 Dinesh Prasanth 2019-08-08 14:25:50 UTC
@Marc,

Thanks for looking into this. I have some minor corrections as below:

.Using the `cert-fix` utility with the `--agent-uid pkidbuser` option breaks Certificate System

Using the `cert-fix` utility with the `--agent-uid pkidbuser` option corrupts the LDAP configuration. As a consequence, Certificate System might be rendered unstable and manual steps will be required to recover the system.

Comment 7 Geetika Kapoor 2019-08-13 15:30:58 UTC
We have documented this bug as an exception. should we keep it for fixing it in future or close this and raise a new bug.
We can't have assigned bug in Errata i think. Please suggest?


Note You need to log in before you can comment on or make changes to this bug.