RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1900662 - rpm --setperms applies permissions on %ghost symlink to a regular file making it world readable/writable/executable
Summary: rpm --setperms applies permissions on %ghost symlink to a regular file making...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: rpm
Version: 8.3
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 8.0
Assignee: Michal Domonkos
QA Contact: Eva Mrakova
URL:
Whiteboard:
Depends On:
Blocks: 1894852 1930550 2025906
TreeView+ depends on / blocked
 
Reported: 2020-11-23 13:49 UTC by Asaf Rachmani
Modified: 2022-05-10 16:51 UTC (History)
9 users (show)

Fixed In Version: rpm-4.14.3-22.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 2025906 (view as bug list)
Environment:
Last Closed: 2022-05-10 15:28:54 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:2082 0 None None None 2022-05-10 15:29:09 UTC

Description Asaf Rachmani 2020-11-23 13:49:28 UTC 
Description of problem:
Getting the following error during Hosted-engine deployment on RHVH with STIG/VPP profile:
Failed to connect to the host via ssh: Bad owner or permissions on /etc/crypto-policies/back-ends/openssh.config

openssh.config file permissions:
# ll /etc/crypto-policies/back-ends/openssh.config
-rwxrwxrwx. 1 root root 480 Nov 20 14:56 /etc/crypto-policies/back-ends/openssh.config

Version-Release number of selected component (if applicable):
crypto-policies-scripts-20200713-1.git51d1222.el8.noarch
crypto-policies-20200713-1.git51d1222.el8.noarch


How reproducible:
100%

Steps to Reproduce:
1. Select STIG profile during RHVH installation
2. Deploy hosted engine via cockpit
3.

Actual results:
Deployment fails to connect to the VM via ssh

Expected results:
The deployment should be able to connect to the VM via ssh

Additional info:
Looks like the file permissions have been changed in el8.3:

crypto-policies for 8.3:
$ rpm -qp --dump crypto-policies-20200713-1.git51d1222.el8.noarch.rpm | grep openssh.config
/etc/crypto-policies/back-ends/openssh.config 46 1594656270 0000000000000000000000000000000000000000000000000000000000000000 0120777 root root 1 0 0 /usr/share/crypto-policies/DEFAULT/openssh.txt
/usr/share/crypto-policies/back-ends/DEFAULT/openssh.config 1257 1594656269 3d3c6acdc4f04733dc586be2b3ac59d695c9d81232b9a77ac0f4f5db1715b2b6 0100644 root root 0 0 0 X
/usr/share/crypto-policies/back-ends/FIPS/openssh.config 854 1594656269 1c9b17757243c929f310d96a9e2290060aa7eef033f2e8313ae4e2fd9622d3f7 0100644 root root 0 0 0 X
/usr/share/crypto-policies/back-ends/FUTURE/openssh.config 986 1594656269 b83dad7da4e110ca351fa5ea43040138f2a4e1043ac2f0406accddd3d3632fdb 0100644 root root 0 0 0 X
/usr/share/crypto-policies/back-ends/LEGACY/openssh.config 1355 1594656269 8e230fadfa6ef25bb3f732cbb15fa4b38503e9f4c3ba9a700e6fec5e8540987d 0100644 root root 0 0 0 X


crypto-policies for 8.2:
$ rpm -qp --dump crypto-policies-20191128-2.git23e1bf1.el8.noarch.rpm | grep openssh.config
/etc/crypto-policies/back-ends/openssh.config 0 1576519808 0000000000000000000000000000000000000000000000000000000000000000 0100000 root root 0 0 0 X
/usr/share/crypto-policies/back-ends/DEFAULT/openssh.config 1173 1576519805 1f6ad778c1b4f3c2ee4c3300a2a829ada209c0f4daa211bde3159a46ad45a14b 0100644 root root 0 0 0 X
/usr/share/crypto-policies/back-ends/FIPS/openssh.config 854 1576519805 d140ff8ee38d517fae026cda89037192693a049286889c05fdee060467599ca2 0100644 root root 0 0 0 X
/usr/share/crypto-policies/back-ends/FUTURE/openssh.config 923 1576519805 c0c2c69bea40231791f5c93f61b9f13644dd8cf0c799e550606083e0875e2727 0100644 root root 0 0 0 X
/usr/share/crypto-policies/back-ends/LEGACY/openssh.config 1271 1576519805 76fe9070b172ee9baf59c3cba81814c203580a979bb275f699cd3f5d5efed30b 0100644 root root 0 0 0 X
Comment 1 Tomas Mraz 2020-11-23 14:41:13 UTC 
The question is what created the file with the wrong permissions. Please note that the rpm contents are irrelevant as the file is symlink in the package and symlinks do not really have permissions.

The update-crypto-policies tool from the crypto-policies package would not use such invalid permissions so it must be something else that creates the file with such permissions.

Reassigning to the potential component that might be the culprit.
Comment 2 Asaf Rachmani 2020-11-24 07:00:59 UTC 
In RHVH, we use 'rpm --setperms' in order to keep the original permissions, but it seems that when we use it we get 777 permissions.
Comment 3 Tomas Mraz 2020-11-24 09:15:28 UTC 
Hmm, so the reason is that in 8.3 the file was changed from %config to %ghost file but it was kept as a symlink. And for some reason rpm for %ghost files does record 777 permissions of the symlink.

I don't see this as a bug in crypto-policies though. We could somehow workaround it in the crypto-policies package but apparently it is not a good idea to use the rpm --setperms.
Comment 4 Yuval Turgeman 2020-11-24 09:54:06 UTC 
A symlink will always have 777, and `rpm --setperms` is the way to reset package permissions, so If an admin calls this, they would expect the system to behave correctly.  In the case of calling update-crypto-policies to generate a real 644 file and then calling setperms, it would break the system.  Why not keep it as %ghost 644 without a symlink ?
Comment 5 Tomas Mraz 2020-11-24 10:02:25 UTC 
It is then a bug in rpm that it applies permissions that are meant to be applied to symlink to a regular file. It is a complete nonsense to do that.
Comment 6 Yuval Turgeman 2020-11-24 10:10:03 UTC 
Good point, rpm could check this also, but as package maintainers if we have 2 possibilities, real file with 644 and a symlink with 777, it could be better to package the ghost as a real file with 644, especially when chmod on the 777 symlink to 644 as in the case of setperms will have no affect (I didn't test this though, so it's just a thought)
Comment 7 Michal Domonkos 2020-12-01 11:45:49 UTC 
Tomas, could you please help me understand what the issue is with rpm here?

AFAICT, "rpm --setperms" does what it's supposed to do - it sets the permissions on the individual files according to what's recorded in the rpmdb.  It actually is just a popt alias which calls chmod(1) behind the scenes.

Now, when it comes to symlinks, permissions on them are irrelevant on Linux, see chmod(1):

---8<---
chmod never changes the permissions of symbolic links; the chmod system call cannot change their permissions. This is not a problem since the permissions of symbolic links are never used. However, for each symbolic link listed on the command line, chmod changes the permissions of the pointed-to file. In contrast, chmod ignores symbolic links encountered during recursive directory traversals.
---8<---

More info also here: https://superuser.com/a/303063
Comment 8 Panu Matilainen 2020-12-01 12:07:56 UTC 
> However, for each symbolic link listed on the command line, chmod changes the permissions of the pointed-to file.

AIUI that exactly is the issue: rpm invokes chmod in a way that causes a regular file to receive the permissions of a symlink, which indeed is completely non-sensical.

There was a nasty regression in rpm 4.14.2 that caused --setperms and --setugids to follow links but it's supposedly fixed in rpm >= 4.14.2-4. What version of rpm is this, exactly?
Comment 9 Michal Domonkos 2020-12-01 12:17:13 UTC 
You're right - I missed the following little detail in Comment 0:

# ll /etc/crypto-policies/back-ends/openssh.config
-rwxrwxrwx. 1 root root 480 Nov 20 14:56 /etc/crypto-policies/back-ends/openssh.config
^

Indeed, this is not a symlink, though still has the 777 mode.  In my testing, I had a real symlink there, so such perms were kinda expected there.

I'll keep looking then.
Comment 10 Michal Domonkos 2020-12-01 12:20:25 UTC 
Keeping the needinfo on Tomas for the RPM version.
Comment 11 Michal Domonkos 2020-12-01 12:22:24 UTC 
Eh... sorry, it should've been on Asaf instead, correcting.
Comment 12 Tomas Mraz 2020-12-01 12:34:34 UTC 
I believe it is the rpm from RHEL-8.3 compose. rpm-4.14.3-4.el8.x86_64.rpm 

However I think there is one more thing in play here - the symlink in the package is %gost file. Maybe this is the reason why the permissions are applied?
Comment 13 Tomas Mraz 2020-12-01 12:35:04 UTC 
s/%gost/%ghost/ of course
Comment 14 Asaf Rachmani 2020-12-01 12:45:14 UTC 
(In reply to Michal Domonkos from comment #10)
> Keeping the needinfo on Tomas for the RPM version.

the RPM version rpm-4.14.3-4.el8
Comment 15 Yuval Turgeman 2020-12-01 12:55:00 UTC 
I think Tomas has it right - FILEFLAGS for a normal symlink is 0, but for ghost symlink it is set to 64 which triggers the chmod.  The file in this package may be either a symlink or a normal file - if the file is changed from a symlink to normal file, and then we run setperms, it will apply the permissions of the symlink (777) on the normal file.
Comment 16 Yuval Turgeman 2020-12-01 12:57:14 UTC 
Btw, if you want to reproduce this:

1. move the symlink aside (for testing)
2. touch a file with 644
3. run rpm --setperms on the crypto-policies package
4. check the permissions on that file, you'll see they changed to 777
Comment 23 Michal Domonkos 2021-12-07 09:02:14 UTC 
Upstream PR created:
https://github.com/rpm-software-management/rpm/pull/1854
Comment 36 errata-xmlrpc 2022-05-10 15:28:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rpm bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2082
Note You need to log in before you can comment on or make changes to this bug.