+++ This bug was initially created as a clone of Bug #2021025 +++
Description of problem:
lsr.certificates has a "group:" option , which is meant for services which run not as root, but as some unprivileged user/group. However, it keeps the file permissions as 0600, which means that the group can't access it.
I recently fixed this upstream:
- https://github.com/linux-system-roles/certificate/commit/27ed4d2517cbdd introduces general testing of certificate permissions
- https://github.com/linux-system-roles/certificate/commit/0d7470b345e1bf adds a test for setting "group:" (without "owner:", thus keeping the "root" default), and ensures that the permissions are as expected. This reproduces the bug and validates the fix.
RHEL 8.5/8.6 is affected in the same way -- but you mentioned you want to handle this through cloning, after the initial bug review.
Version-Release number of selected component (if applicable):
How reproducible: Always
Steps to Reproduce:
1. Run this step:
- hosts: webserver
- name: mycert
2. Check permissions
Actual results: /etc/pki/tls/certs/mycert.key has permissions 0600
Expected results: /etc/pki/tls/certs/mycert.key has permissions 0640 so that the group can actually read it
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (rhel-system-roles bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.