1952105 – [RHEL8/Bug] vdo creates directory /run/lock/vdo world writable without sticky bit triggered (found by SCAP)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1952105 - [RHEL8/Bug] vdo creates directory /run/lock/vdo world writable without sticky bit triggered (found by SCAP)

Summary: [RHEL8/Bug] vdo creates directory /run/lock/vdo world writable without sticky...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	vdo
Sub Component:
Version:	8.3
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	beta
Target Release:	---
Assignee:	bjohnsto
QA Contact:	Filip Suba
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-04-21 14:06 UTC by Rajesh Dulhani
Modified:	2021-11-10 06:38 UTC (History)
CC List:	4 users (show)
Fixed In Version:	vdo-6.2.5.11-14.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-09 19:28:28 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
run-lock-vdo status reported by scap (236.20 KB, image/png) 2021-04-21 14:06 UTC, Rajesh Dulhani	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2021:4359	0	None	None	None	2021-11-09 19:28:38 UTC

Description Rajesh Dulhani 2021-04-21 14:06:23 UTC

Created attachment 1774101 [details]
run-lock-vdo status reported by scap

Description of problem:

When i run on RHEL7 as well as RHEL 8 the SCAP standard profile 	xccdf_org.ssgproject.content_profile_standard the  it triggers the xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits on a directory /run/lock/vdo that is implicitly created during boot.

attached screenshot.

I verified also on RHEL8.3 and RHEL7.6 and there the /run/lock/vdo is also missing the sticky bit as recommended by SCAP
-------

$ cat /etc/redhat-release
Red Hat Enterprise Linux release 8.3 (Ootpa)


$ stat /run/lock/vdo
  File: /run/lock/vdo
  Size: 60              Blocks: 0          IO Block: 4096   directory
Device: 18h/24d Inode: 205356      Links: 2
Access: (0777/drwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:var_lock_t:s0
Access: 2021-04-15 12:59:11.315884394 +0000
Modify: 2021-03-25 01:38:13.605033991 +0000
Change: 2021-03-25 01:38:13.605033991 +0000
 Birth: -

$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.6 (Maipo)


$ stat /run/lock/vdo
  File: ‘/run/lock/vdo’
  Size: 60              Blocks: 0          IO Block: 4096   directory
Device: 14h/20d Inode: 225067      Links: 2
Access: (0777/drwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:var_lock_t:s0
Access: 2021-04-16 07:45:13.296935102 +0000
Modify: 2021-04-15 02:19:47.651891219 +0000
Change: 2021-04-15 02:19:47.651891219 +0000
 Birth: -





Version-Release number of selected component (if applicable):


SCAP PROFILE - RHEL8.3

Header of the HTML output of the scap report:
------
Evaluation target	li-lc-2624
Benchmark URL	/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
Benchmark ID	xccdf_org.ssgproject.content_benchmark_RHEL-8
Benchmark version	0.1.50
Profile ID	xccdf_org.ssgproject.content_profile_ospp
Started at	2021-04-12T16:57:29+00:00
Finished at	2021-04-12T16:57:30+00:00
Performed by	vrempet-admin
Test system	cpe:/a:redhat:openscap:1.3.3
------

Steps to Reproduce:

The file is created implicitly by the insights-client run every night:

-----------

$ ls -l /run/lock
total 0
-rw-r--r--. 1 root root   0 Apr 16 07:58 kdump
drwxrwxr-x. 2 root lock  40 Apr 16 07:58 lockdev
drwx------. 2 root root  40 Apr 16 07:59 lvm
drwxr-xr-x. 2 root root 120 Apr 16 07:58 subsys

$ ls -l /run/lock/vdo
ls: cannot access /run/lock/vdo: No such file or directory

$ sudo insights-client
Starting to collect Insights data for [crash/LI/IPS/OSDev-7.6SAPSOL] li-lc-2286.hag.hilti.com
Uploading Insights data.
Successfully uploaded report from [crash/LI/IPS/OSDev-7.6SAPSOL] li-lc-2286.hag.hilti.com to account 694947.
View details about this system on cloud.redhat.com:
https://cloud.redhat.com/insights/inventory/29fa76b0-48af-40fc-a23a-0ceb3e7524f5

$ ls -l /run/lock/vdo
total 0
-rw-r--r--. 1 root root 0 Apr 16 13:04 _etc_vdoconf.yml.lock

$ sudo grep vdo /var/log/insights-client/insights-client.log
2021-04-16 13:04:25,724    DEBUG insights.util.subproc Executing: [['timeout', '-s', '9', '120', '/usr/bin/vdo', 'status']]
2021-04-16 13:04:32,969    DEBUG insights.client.data_collector Processing /var/tmp/kRwG7w/insights-li-lc-2286.hag.hilti.com-20210416130407/data/insights_commands/vdo_status...
-------------


Reproducer with vdo status:
-------------

$ sudo rm -rf /run/lock/vdo

$ /usr/bin/vdo status
vdo: ERROR - Could not lock file /run/lock/vdo/_etc_vdoconf.yml.lock

$ sudo /usr/bin/vdo status
VDO status:
  Date: '2021-04-16 13:06:27+00:00'
  Node: li-lc-2286
Kernel module:
  Loaded: false
  Name: kvdo
  Version information:
    kvdo version: 6.1.1.125
Configuration:
  File: does not exist
  Last modified: not available
VDOs: {}

$ ls -l /run/lock/vdo
total 0
-rw-r--r--. 1 root root 0 Apr 16 13:06 _etc_vdoconf.yml.lock

$ ls -ld /run/lock/vdo
drwxr-xr-x. 2 root root 60 Apr 16 13:06 /run/lock/vdo
-------------

But when vdo status is run from insights-client from the systemd it is created with 777
-------------
$ sudo rm -rf /run/lock/vdo

$ sudo systemctl start insights-client

$ ls -ld /run/lock/vdo
ls: cannot access /run/lock/vdo: No such file or directory

$ sudo systemctl status insights-client
● insights-client.service - Insights Client
   Loaded: loaded (/usr/lib/systemd/system/insights-client.service; static; vendor preset: disabled)
   Active: inactive (dead) since Fri 2021-04-16 13:09:46 UTC; 16s ago
     Docs: man:insights-client(8)
  Process: 7002 ExecStartPost=/bin/bash -c if [ -d /sys/fs/cgroup/memory ]; then echo 1G > /sys/fs/cgroup/memory/system.slice/insights-client.service/memory.soft_limit_in_bytes; fi (code=exited, status=0/SUCCESS)
  Process: 7001 ExecStartPost=/bin/bash -c if [ -d /sys/fs/cgroup/memory ]; then echo 2G > /sys/fs/cgroup/memory/system.slice/insights-client.service/memory.memsw.limit_in_bytes; fi (code=exited, status=0/SUCCESS)
  Process: 7000 ExecStart=/usr/bin/insights-client --retry 3 (code=exited, status=0/SUCCESS)
 Main PID: 7000 (code=exited, status=0/SUCCESS)

Apr 16 13:08:15 li-lc-2286 systemd[1]: Starting Insights Client...
Apr 16 13:08:15 li-lc-2286 systemd[1]: Started Insights Client.
Apr 16 13:08:25 li-lc-2286 insights-client[7000]: Starting to collect Insights data for [crash/LI/IPS/OSDev-7.6SAPSOL] li-lc-2286.ha...lti.com
Apr 16 13:09:44 li-lc-2286 insights-client[7000]: Uploading Insights data.
Apr 16 13:09:45 li-lc-2286 insights-client[7000]: Successfully uploaded report from [crash/LI/IPS/OSDev-7.6SAPSOL] li-lc-2286.hag.hi...694947.
Apr 16 13:09:46 li-lc-2286 insights-client[7000]: View details about this system on cloud.redhat.com:
Apr 16 13:09:46 li-lc-2286 insights-client[7000]: https://cloud.redhat.com/insights/inventory/29fa76b0-48af-40fc-a23a-0ceb3e7524f5
Hint: Some lines were ellipsized, use -l to show in full.

$ ls -ld /run/lock/vdo
drwxrwxrwx. 2 root root 60 Apr 16 13:08 /run/lock/vdo

-------------

Actual results:

That means it is a bug in the vdo package that it creates the directory world writable in  the context of being from from systemd


Expected results:

It should create not create the world writable directory.


Additional info:

Comment 3 Filip Suba 2021-05-27 14:30:01 UTC

Verified with vdo-6.2.5.11-14.el8.

Comment 6 errata-xmlrpc 2021-11-09 19:28:28 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (kmod-kvdo bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4359

Note You need to log in before you can comment on or make changes to this bug.