Bug 2021683 - certificates: "group" option keeps certificates inaccessible to the group
Summary: certificates: "group" option keeps certificates inaccessible to the group
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: rhel-system-roles
Version: 8.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.6
Assignee: Rich Megginson
QA Contact: David Jež
Eliane Ramos Pereira
URL:
Whiteboard: role:certificate
Depends On: 2021025
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-11-09 22:31 UTC by Rich Megginson
Modified: 2022-05-10 14:39 UTC (History)
9 users (show)

Fixed In Version: rhel-system-roles-1.11.0-1.el8
Doc Type: Bug Fix
Doc Text:
.The `group` option no longer keeps certificates inaccessible to the group Previously, when setting the group for a certificate, the `mode` was not set to allow group read permission. As a consequence, group members were unable to read certificates issued by the Certificate role. With this fix, the group setting now ensures that the file mode includes group read permission. As a result, the certificates issued by the Certificate role for groups are accessible by the group members.
Clone Of: 2021025
Environment:
Last Closed: 2022-05-10 14:12:46 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github linux-system-roles certificate pull 97 0 None Merged Fix certificate permissions with "group" option 2021-11-09 22:31:20 UTC
Red Hat Issue Tracker RHELPLAN-102329 0 None None None 2021-11-10 11:51:02 UTC
Red Hat Product Errata RHBA-2022:1896 0 None None None 2022-05-10 14:13:12 UTC

Description Rich Megginson 2021-11-09 22:31:20 UTC 
+++ This bug was initially created as a clone of Bug #2021025 +++

Description of problem:

lsr.certificates has a "group:" option [1], which is meant for services which run not as root, but as some unprivileged user/group. However, it keeps the file permissions as 0600, which means that the group can't access it.

I recently fixed this upstream:
- https://github.com/linux-system-roles/certificate/commit/27ed4d2517cbdd introduces general testing of certificate permissions

- https://github.com/linux-system-roles/certificate/commit/0d7470b345e1bf adds a test for setting "group:" (without "owner:", thus keeping the "root" default), and ensures that the permissions are as expected. This reproduces the bug and validates the fix.

RHEL 8.5/8.6 is affected in the same way -- but you mentioned you want to handle this through cloning, after the initial bug review.

Version-Release number of selected component (if applicable):

rhel-system-roles-1.8.3-2.el9.noarch

How reproducible: Always


Steps to Reproduce:
1. Run this step:

- hosts: webserver
  vars:
    certificate_requests:
      - name: mycert
        dns: www.example.com
        ca: self-sign
        group: httpd

  roles:
    - linux-system-roles.certificate

2. Check permissions

Actual results: /etc/pki/tls/certs/mycert.key has permissions 0600


Expected results: /etc/pki/tls/certs/mycert.key has permissions 0640 so that the group can actually read it


Additional info:

[1] https://github.com/linux-system-roles/certificate#setting-the-certificate-owner-and-group
Comment 13 errata-xmlrpc 2022-05-10 14:12:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rhel-system-roles bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1896
Note You need to log in before you can comment on or make changes to this bug.