Bug 1896715
| Summary: | subscription certificate file access permissions with non default umask | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Kenny Tordeurs <ktordeur> | |
| Component: | subscription-manager | Assignee: | William Poteat <wpoteat> | |
| Status: | CLOSED ERRATA | QA Contact: | Red Hat subscription-manager QE Team <rhsm-qe> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.9 | CC: | arpandey, csnyder, jreznik, jsefler, redakkan, rjerrido | |
| Target Milestone: | rc | Keywords: | EasyFix, Triaged, ZStream | |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1951050 (view as bug list) | Environment: | ||
| Last Closed: | 2021-04-27 11:35:33 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
|
Description
Kenny Tordeurs
2020-11-11 11:02:02 UTC
~~~
To fix this we need to add permission change command in to certificate.py
certificate write function.
Now it looks like:
def write(self, pem_path):
"""
Write the certificate.
:param pem_path: The path to the .pem file.
:type pem_path: str
:return: self
:rtype :class:`Certificate`
"""
f = open(pem_path, 'w')
f.write(self.toPEM())
self.path = pem_path
f.close()
return self
It should be changed to:
def write(self, pem_path):
"""
Write the certificate.
:param pem_path: The path to the .pem file.
:type pem_path: str
:return: self
:rtype :class:`Certificate`
"""
f = open(pem_path, 'w')
f.write(self.toPEM())
self.path = pem_path
f.close()
os.chmod(pem_path, 0o644)
return self
~~~
https://github.com/candlepin/subscription-manager/pull/2084/files
The permissions for entitlement certificates are EXPLICITLY set to: - read/write for user - read for group - read for other In order to support rootless containers (which IIRC, launched with RHEL 8.2). See https://bugzilla.redhat.com/show_bug.cgi?id=1691544 That is, regardless of the users umask setting, users should not expect subscription-manager to honor it for entitlement certificates. Permissions for entitlement certificates MUST always be set to 0644. Early testing on scratch build : subscription-manager-1.24.46-1.el7_9.x86_64.rpm
Reproducing issue on RHEL 7.9-
[root@hpe-dl360egen8-01 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 3.2.14-1
subscription management rules: 5.41
subscription-manager: 1.24.42-1.el7
[root@hpe-dl360egen8-01 ~]# ls -al /etc/pki/entitlement/
total 72
drwxr-xr-x. 2 root root 72 Mar 25 06:04 .
drwxr-xr-x. 13 root root 179 Mar 24 04:17 ..
-rw-r--r--. 1 root root 3247 Mar 25 06:04 5621399731116493694-key.pem
-rw-r--r--. 1 root root 68021 Mar 25 06:04 5621399731116493694.pem
[root@hpe-dl360egen8-01 ~]#
[root@hpe-dl360egen8-01 ~]# rm -f /etc/pki/entitlement/*
[root@hpe-dl360egen8-01 ~]# umask 022
[root@hpe-dl360egen8-01 ~]# subscription-manager refresh
All local data refreshed
[root@hpe-dl360egen8-01 ~]#
[root@hpe-dl360egen8-01 ~]# ls -al /etc/pki/entitlement/
total 72
drwxr-xr-x. 2 root root 72 Mar 25 06:05 .
drwxr-xr-x. 13 root root 179 Mar 24 04:17 ..
-rw-r--r--. 1 root root 3247 Mar 25 06:05 5621399731116493694-key.pem
-rw-r--r--. 1 root root 68021 Mar 25 06:05 5621399731116493694.pem
[root@hpe-dl360egen8-01 ~]#
[root@hpe-dl360egen8-01 ~]# rm -f /etc/pki/entitlement/*
[root@hpe-dl360egen8-01 ~]# umask 077
[root@hpe-dl360egen8-01 ~]# subscription-manager refresh
All local data refreshed
[root@hpe-dl360egen8-01 ~]#
[root@hpe-dl360egen8-01 ~]# ls -al /etc/pki/entitlement/
total 72
drwxr-xr-x. 2 root root 72 Mar 25 06:06 .
drwxr-xr-x. 13 root root 179 Mar 24 04:17 ..
-rw-r--r--. 1 root root 3247 Mar 25 06:06 5621399731116493694-key.pem
-rw-------. 1 root root 68021 Mar 25 06:06 5621399731116493694.pem
^^^^------------read permission for users denied
[testuser@hpe-dl360egen8-01 ~]$ yum info zsh
Loaded plugins: product-id, search-disabled-repos, subscription-manager
Error loading certificate: [Errno 13] Permission denied: '/etc/pki/entitlement/5621399731116493694.pem' <<<<<<<< Permission
denied for testuser
Repo rhel-7-server-rpms forced skip_if_unavailable=True due to: /etc/pki/entitlement/5621399731116493694.pem
Available Packages
Name : zsh
Arch : x86_64
Version : 5.0.2
Release : 34.el7_8.2
Size : 2.4 M
Repo : rhel-7-server-rpms/7Server/x86_64
Summary : Powerful interactive shell
URL : http://zsh.sourceforge.net/
License : MIT
Description : The zsh shell is a command interpreter usable as an interactive login
: shell and as a shell script command processor. Zsh resembles the ksh
: shell (the Korn shell), but includes many enhancements. Zsh supports
: command line editing, built-in spelling correction, programmable
: command completion, shell functions (with autoloading), a history
: mechanism, and more
=================================================================================================
Verifying fix on scratch build:
[root@hpe-dl360egen8-01 /]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 3.2.14-1
subscription management rules: 5.41
subscription-manager: 1.24.46-1.el7_9
[root@hpe-dl360egen8-01 /]# rpm -qa --changelog subscription-manager | grep 1896715
- 1896715: Set proper read permissions on certs (#2466) (wpoteat)
[root@hpe-dl360egen8-01 /]#
[root@hpe-dl360egen8-01 /]#
[root@hpe-dl360egen8-01 /]# rm -f /etc/pki/entitlement/*
[root@hpe-dl360egen8-01 /]# umask 022
[root@hpe-dl360egen8-01 /]# subscription-manager refresh
All local data refreshed
[root@hpe-dl360egen8-01 /]#
[root@hpe-dl360egen8-01 /]# ls -al /etc/pki/entitlement/
total 72
drwxr-xr-x. 2 root root 72 Mar 25 07:49 .
drwxr-xr-x. 13 root root 179 Mar 24 04:17 ..
-rw-r--r--. 1 root root 3247 Mar 25 07:49 5621399731116493694-key.pem
-rw-r--r--. 1 root root 68021 Mar 25 07:49 5621399731116493694.pem
[root@hpe-dl360egen8-01 /]#
[root@hpe-dl360egen8-01 /]# rm -f /etc/pki/entitlement/*
[root@hpe-dl360egen8-01 /]# umask 077
[root@hpe-dl360egen8-01 /]# subscription-manager refresh
All local data refreshed
[root@hpe-dl360egen8-01 /]# ls -al /etc/pki/entitlement/
total 72
drwxr-xr-x. 2 root root 72 Mar 25 07:50 .
drwxr-xr-x. 13 root root 179 Mar 24 04:17 ..
-rw-r--r--. 1 root root 3247 Mar 25 07:50 5621399731116493694-key.pem
-rw-r--r--. 1 root root 68021 Mar 25 07:50 5621399731116493694.pem <<<< permissions set to 644
[testuser@hpe-dl360egen8-01 ~]$ yum info zsh
Loaded plugins: product-id, search-disabled-repos, subscription-manager <<< no permission issue observed
Available Packages
Name : zsh
Arch : x86_64
Version : 5.0.2
Release : 34.el7_8.2
Size : 2.4 M
Repo : rhel-7-server-rpms/7Server/x86_64
Summary : Powerful interactive shell
URL : http://zsh.sourceforge.net/
License : MIT
Description : The zsh shell is a command interpreter usable as an interactive login
: shell and as a shell script command processor. Zsh resembles the ksh
: shell (the Korn shell), but includes many enhancements. Zsh supports
: command line editing, built-in spelling correction, programmable
: command completion, shell functions (with autoloading), a history
: mechanism, and more.
Actual Results: Permissions for entitlement certs are set to 644 regardless of umask
Expected Results: Permissions for entitlement certificates should always be set to 0644
Verifying on 7.9Z build:
Beaker Test information:
HOSTNAME=kvm-06-guest01.hv2.lab.eng.bos.redhat.com
JOBID=5252048
RECIPEID=9812517
RESULT_SERVER=
DISTRO=RHEL-7.9-updates-20210408.0
ARCHITECTURE=x86_64
[root@kvm-06-guest01 ~]# subscription-manager version
server type: This system is currently not registered.
subscription management server: 3.2.15-1
subscription management rules: 5.41
subscription-manager: 1.24.46-1.el7_9
[root@kvm-06-guest01 ~]#
[root@kvm-06-guest01 ~]# rpm -qa --changelog subscription-manager | grep 1896715
- 1896715: Set proper read permissions on certs (#2466) (wpoteat)
Steps to verify :
[root@kvm-06-guest01 ~]# ll /etc/pki/entitlement/
total 0
[root@kvm-06-guest01 ~]# subscription-manager register --username ***** --password ****** --auto-attach
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
The system has been registered with ID: *********************
The registered system name is: kvm-06-guest01.hv2.lab.eng.bos.redhat.com
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux Server
Status: Subscribed
[root@kvm-06-guest01 ~]#
[root@kvm-06-guest01 ~]# ll /etc/pki/entitlement/
total 36
-rw-r--r--. 1 root root 3243 Apr 8 06:52 8008816392806222517-key.pem
-rw-r--r--. 1 root root 28834 Apr 8 06:52 8008816392806222517.pem
[root@kvm-06-guest01 ~]# rm -f /etc/pki/entitlement/*
[root@kvm-06-guest01 ~]#
[root@kvm-06-guest01 ~]# umask 022
[root@kvm-06-guest01 ~]# subscription-manager refresh
All local data refreshed
[root@kvm-06-guest01 ~]# ls -al /etc/pki/entitlement/
total 36
drwxr-xr-x. 2 root root 72 Apr 8 06:53 .
drwxr-xr-x. 13 root root 179 Apr 8 05:53 ..
-rw-r--r--. 1 root root 3243 Apr 8 06:53 8008816392806222517-key.pem
-rw-r--r--. 1 root root 28834 Apr 8 06:53 8008816392806222517.pem
[root@kvm-06-guest01 ~]# rm -f /etc/pki/entitlement/*
[root@kvm-06-guest01 ~]# umask 077
[root@kvm-06-guest01 ~]# subscription-manager refresh
All local data refreshed
[root@kvm-06-guest01 ~]# ls -al /etc/pki/entitlement/
total 36
drwxr-xr-x. 2 root root 72 Apr 8 06:54 .
drwxr-xr-x. 13 root root 179 Apr 8 05:53 ..
-rw-r--r--. 1 root root 3243 Apr 8 06:54 8008816392806222517-key.pem
-rw-r--r--. 1 root root 28834 Apr 8 06:54 8008816392806222517.pem
[root@kvm-06-guest01 ~]#
[root@kvm-06-guest01 ~]# su - testuser
[testuser@kvm-06-guest01 ~]$ yum info telnet
Loaded plugins: product-id, search-disabled-repos, subscription-manager
Available Packages
Name : telnet
Arch : x86_64
Epoch : 1
Version : 0.17
Release : 66.el7
Size : 64 k
Repo : rhel-7-server-rpms/7Server/x86_64
Summary : The client program for the Telnet remote login protocol
URL : http://web.archive.org/web/20070819111735/www.hcs.harvard.edu/~dholland/computers/old-netkit.html
License : BSD
Description : Telnet is a popular protocol for logging into remote systems over the
: Internet. The package provides a command line Telnet client
[testuser@kvm-06-guest01 ~]$
Actual Results: Permissions for entitlement certs are set to 644 regardless of umask
Expected Results: Permissions for entitlement certificates should always be set to 0644
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (subscription-manager bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1394 |