Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
+++ This bug was initially created as a clone of Bug #1691544 +++
A continuation of Bug #1691544, should umask be alterred to 077 such as in STIG ID RHEL-08-020353, the /etc/pki/entitlement files will have the non key.pem files without other read and /etc/yum.repos.d/redhat.repo file without other with read permissions thus introducing this issue again.
Adding read permissions of other to all the entitlement key files in /etc/pki/entitlement and read permissions of other to /etc/yum.repos.d/redhat.repo resolves the issue.
The default setting for umask would be 002, but RHEL-08-020353 mandates that both of these umask settings must be 077 (such as in /etc/bashrc):
if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
umask 027
else
umask 027
fi
In #1691544 it was pointed out that the *key.pem files were being written without other read. In this bug report, the other half of the files and /etc/yum.repos.d/redhat.repo which rootless containers also depend on will be unable to be read by rootless containers because subscriptionn-manager does not set the permissions of these files when it creates them and instead relies on umask settings. For the *key.pem files it appears it is not relying on umask settings and explicitly sets the permissions.
Thanks for opening the bug. We will improve the permission of pem files and please note that the permissions on the /etc/yum.repos.d/redhat.repo file will not be altered as the redhat.repo file inside the container is populated from the host entitlement files.