2053160 – [RHEL-8.7] Missing 'rngd' user's home directory causes command 'pwck' to find a problem on /etc/passwd user's entry

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2053160 - [RHEL-8.7] Missing 'rngd' user's home directory causes command 'pwck' to find a problem on /etc/passwd user's entry

Summary: [RHEL-8.7] Missing 'rngd' user's home directory causes command 'pwck' to find...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	rng-tools
Sub Component:
Version:	---
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.7
Assignee:	Vladis Dronov
QA Contact:	Vilém Maršík
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2077035
TreeView+	depends on / blocked

Reported:	2022-02-10 16:05 UTC by Juan Gamba
Modified:	2022-11-08 12:28 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2077035 (view as bug list)
Environment:
Last Closed:	2022-11-08 10:47:11 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-111915	0	None	None	None	2022-02-10 16:08:36 UTC
Red Hat Product Errata	RHBA-2022:7710	0	None	None	None	2022-11-08 10:47:16 UTC

Description Juan Gamba 2022-02-10 16:05:48 UTC

Description of problem:

Missing 'rngd' user's home directory causes command 'pwck' to find a problem on /etc/passwd user's entry

Version-Release number of selected component (if applicable):

How reproducible:

Always

Steps to Reproduce:
1. Login as root
2. Run command 'pwck -r'
3.

Actual results:

# pwck -r
[..]
user 'rngd': directory '/var/lib/rngd' does not exist
pwck: no changes


Expected results:

# pwck -r
#


Additional info:

The rpm script is creating the user (if it does not exist already) with no create home option,

'man 8 adduser',

[..]
       -M, --no-create-home
           Do no create the user's home directory, even if the system wide setting from /etc/login.defs (CREATE_HOME) is set to yes.
[..]


# rpm -q --scripts rng-tools
preinstall scriptlet (using /bin/sh):
getent passwd rngd >/dev/null || useradd -r -M -d /var/lib/rngd -s /sbin/nologin -c "Random Number Generator Daemon" rngd
postinstall scriptlet (using /bin/sh):

if [ $1 -eq 1 ] ; then 
        # Initial installation 
        systemctl --no-reload preset rngd.service rngd-wake-threshold.service &>/dev/null || : 
fi 

/usr/bin/systemctl start rngd-wake-threshold.service || :
preuninstall scriptlet (using /bin/sh):

if [ $1 -eq 0 ] ; then 
        # Package removal, not upgrade 
        systemctl --no-reload disable --now rngd.service rngd-wake-threshold.service &>/dev/null || : 
fi
postuninstall scriptlet (using /bin/sh):

if [ $1 -ge 1 ] ; then 
        # Package upgrade, not uninstall 
        systemctl try-restart rngd.service rngd-wake-threshold.service &>/dev/null || : 
fi

Comment 1 Vladis Dronov 2022-02-15 14:00:46 UTC

hello, Juan, thank you for reporting this. i'll change the workdir for rngd to /, as most of system accounts have.
unfortunately, this change will happen in RHEL-8.7 at earliest. i can make a hotfix/test build with the fix for
RHEL-8.5 or -8.6 if needed.

Comment 2 Juan Gamba 2022-02-16 19:05:18 UTC

Hello Vladis, thank you.
There is no need for a hotfix/test build, customer will wait the fix from standard channels.
The workaround I offered was to actually create the missing directory.

Comment 3 Vladis Dronov 2022-02-23 16:52:05 UTC

hi, Juan, unfortunately, there are hidden complications with creating a dedicated home dir for rngd,
so i've took a path of changing rngd's workdir to /. in case your customer needs them, here are the
candidate (test) builds (include update to rng-tools v6.14 @b2b7934e + udevadm fix + pwck fix):

8.4.z test build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=43282798
8.5.z test build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=43282811

Comment 6 Vladis Dronov 2022-05-09 09:34:04 UTC

for builds and a testing plan please see bz2075974#c2 and below.
these 2 bzs are fixed in the same rng-tools release.

Comment 7 Vilém Maršík 2022-05-10 17:13:31 UTC

The problematic script code seems to be removed, no errors on my test system.
# rpm -q --scripts http://download.eng.brq.redhat.com/brewroot/packages/rng-tools/6.15/1.el8/x86_64/rng-tools-6.15-1.el8.x86_64.rpm
postinstall scriptlet (using /bin/sh):

if [ $1 -eq 1 ] ; then
        # Initial installation
        systemctl --no-reload preset rngd.service &>/dev/null || :
fi

Comment 12 Vilém Maršík 2022-06-13 22:10:30 UTC

No errors, same package version as already reviewed in Comment #7. Setting verified.

# pwck -r
# rpm -q rng-tools
rng-tools-6.15-1.el8.x86_64

Comment 13 Danie de Jager 2022-07-08 06:24:27 UTC

Historically this path was also not found on RHEL 7. Should the '/var/lib/rngd' path be manually created and how does it impact the function of rngd if the path is not there. Was its creation omitted for security reasons?

Comment 14 Vladis Dronov 2022-07-08 12:54:37 UTC

(In reply to Danie de Jager from comment #13)

> Should the '/var/lib/rngd' path be manually created

no, it should not.

> and how does it impact the function of rngd if the path is not there.

this does not impact rngd

> Was its creation omitted for security reasons?

no, it was omitted following Occam's razor principle.

HTH!

Comment 16 errata-xmlrpc 2022-11-08 10:47:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rng-tools bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7710

Note You need to log in before you can comment on or make changes to this bug.