RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2058239 - Inconsistent /var/log/kadmind.log mode initialization between kdb5_util and kadmind
Summary: Inconsistent /var/log/kadmind.log mode initialization between kdb5_util and k...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa-healthcheck
Version: 8.6
Hardware: All
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: ipa-qe
URL:
Whiteboard:
: 2061532 (view as bug list)
Depends On:
Blocks: 2072708
TreeView+ depends on / blocked
 
Reported: 2022-02-24 14:57 UTC by Michal Polovka
Modified: 2022-11-08 10:24 UTC (History)
7 users (show)

Fixed In Version: ipa-healthcheck-0.7-13.module+el8.7.0+15276+08c45309
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2072708 (view as bug list)
Environment:
Last Closed: 2022-11-08 09:35:50 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-7889 0 None None None 2022-02-24 14:59:03 UTC
Red Hat Issue Tracker RHELPLAN-113677 0 None None None 2022-02-24 14:59:09 UTC
Red Hat Product Errata RHBA-2022:7540 0 None None None 2022-11-08 09:36:10 UTC

Description Michal Polovka 2022-02-24 14:57:52 UTC 
Description of problem:
ipa-healthcheck --output-type json --failures-only reports

transport.py               558 DEBUG    [
transport.py               558 DEBUG      {
transport.py               558 DEBUG        "source": "ipahealthcheck.ipa.files",
transport.py               558 DEBUG        "check": "IPAFileCheck",
transport.py               558 DEBUG        "result": "WARNING",
transport.py               558 DEBUG        "uuid": "c16f6dc4-d964-4040-b7ba-775ae0b7df54",
transport.py               558 DEBUG        "when": "20220221170749Z",
transport.py               558 DEBUG        "duration": "0.005988",
transport.py               558 DEBUG        "kw": {
transport.py               558 DEBUG          "key": "_var_log_kadmind.log_mode",
transport.py               558 DEBUG          "path": "/var/log/kadmind.log",
transport.py               558 DEBUG          "type": "mode",
transport.py               558 DEBUG          "expected": "0600",
transport.py               558 DEBUG          "got": "0640",
transport.py               558 DEBUG          "msg": "Permissions of /var/log/kadmind.log are too permissive: 0640 and should be 0600"
transport.py               558 DEBUG        }
transport.py               558 DEBUG      }
transport.py               558 DEBUG    ]
transport.py               217 DEBUG    Exit code: 1

This was uncovered after the fix from https://bugzilla.redhat.com/show_bug.cgi?id=2049167

Version-Release number of selected component (if applicable):
krb5-libs-1.18.2-14.el8.x86_64
krb5-pkinit-1.18.2-14.el8.x86_64
krb5-server-1.18.2-14.el8.x86_64
krb5-workstation-1.18.2-14.el8.x86_64

How reproducible:
always

Steps to Reproduce:
Execute the test suite stated in QE whiteboard

Actual results:
"Permissions of /var/log/kadmind.log are too permissive: 0640 and should be 0600"

Expected results:
Permissions should be 0600

Additional info:
Marking as regression, as on RHEL8.5 system, /var/log/kadmind.log has 0600
Comment 4 Julien Rische 2022-03-01 13:59:29 UTC 
There is an inconsistent behavior between kadmin tools and daemon:

* kadmind creates /var/log/kadmind.log with mode 0640[1]
* kdb5_util creates /var/log/kadmind.log with mode 0600 (still looking for where this is happening in the code)

This inconsistency is still there on RHEL9. I am not sure if this is a regression of krb5 though: it may be due to a change in of kdb5_util's behavior, or to a change in the IPA installation script (in case kdb5_util was executed before kadmind in previous versions).

I still believe it would make more sense to have both kdb5_util and kadmind setting the same mode when creating /var/log/kadmind.log. But should we actually require 0600 mode rather than 0640, since the group is root?

[1] https://github.com/krb5/krb5/commit/9914b93516bbce9b1123ed5f9f796b7028944892#diff-a8cdf56f67ec1a8ee775777d0bed41dc5eae938154b7235e7e220daadf4d3c9fR428
Comment 5 Julien Rische 2022-03-02 11:26:37 UTC 
The code I mentioned in my previous comment is actually patched[1], but it doesn't change its behavior regarding the mode of /var/log/kadmind.log.

Something I find confusing is the only reference to /var/log/kadmind.log in the strace report of kdb5_util uses the 0640. However, the resulting file has mode 0600.

# strace -e trace=%file -k -o report.strace -- kdb5_util create
...
openat(AT_FDCWD, "/var/log/kadmind.log", O_WRONLY|O_CREAT|O_APPEND, 0640) = 4
 > /usr/lib64/libc.so.6(__open+0x5b) [0x143ddb]
 > /usr/lib64/libkrb5support.so.0.1(krb5int_labeled_open+0x127) [0x6ee7]
 > /usr/lib64/libkadm5srv_mit.so.12.0(krb5_klog_init+0x487) [0xd9d7]
 > /usr/sbin/kdb5_util(kdb5_create+0x3c7) [0x108b7]
 > /usr/sbin/kdb5_util(main+0x4d9) [0x6889]
 > /usr/lib64/libc.so.6(__libc_start_call_main+0x7f) [0x44e4f]
 > /usr/lib64/libc.so.6(__libc_start_main@@GLIBC_2.34+0x7b) [0x44efb]
 > /usr/sbin/kdb5_util(_start+0x24) [0x6f94]
...

[1] https://gitlab.com/redhat/centos-stream/rpms/krb5/-/commit/908aeb56b21e5257cba1fc23c7b1babc7a1c6f3a?page=2#a071e38cf3484f61e8097b4b5e1d588ce19a3688_0_343
Comment 6 Julien Rische 2022-03-02 14:25:38 UTC 
auditd confirms /var/log/kadmind.log is create with 0600 mode:

type=PATH msg=audit(1646229195.833:303): item=1 name="/var/log/kadmind.log" inode=288175 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:kadmind_log_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Therefore, I don't really understand why the 0640 mode parameter passed to the openat() call detected by strace in my previous comment is not applied.
Comment 7 Alexander Bokovoy 2022-03-03 14:22:14 UTC 
It may be due to umask difference between systemd service environment and root?
Comment 8 Alexander Bokovoy 2022-03-03 14:22:15 UTC 
It may be due to umask difference between systemd service environment and root?
Comment 9 Julien Rische 2022-03-03 14:51:51 UTC 
Good guess! The root user's umask is 0022, but it is overridden to 0077 in the kdb5_util code:

https://github.com/krb5/krb5/blob/krb5-1.19.1-final/src/kadmin/dbutil/kdb5_util.c#L327
Comment 10 Julien Rische 2022-03-04 08:51:54 UTC 
I think for now we should change the expected permissions in ipa-healtcheck. 0640 shouldn't be considered too permissive, since it is the default mode used by kadmind:

https://github.com/freeipa/freeipa-healthcheck/blob/0.10/src/ipahealthcheck/ipa/files.py#L122

The file mode inconsistency between kadmind and kdb5_util should be fixed upstream.
Comment 11 Julien Rische 2022-03-04 14:20:35 UTC 
The current situation make it difficult to know what mode to expect on /var/log/kadmind.log:
* The ipa-server-install script will initialize the mode as 0600
* If the admin removed the log file, it will be recreated by kadmind with 0640

ipa-healtcheck is raising a warning is case the file mode is too permissive, and an error in case it is too restrictive[1].

But we don't what to turn the warning we currently have (which may be considered a false negative) into an error.

@rcritten, is there a way to allow multiple file modes in ipa-healtcheck? Or a way to not check group read access?

[1] https://github.com/freeipa/freeipa-healthcheck/blob/0.10/src/ipahealthcheck/core/files.py#L47
Comment 13 Rob Crittenden 2022-03-09 21:01:14 UTC 
Support for multiple expected modes can be added. We did something similar for owner and group.

Moving component to ipa-healthcheck to implement this.
Comment 14 Florence Blanc-Renaud 2022-03-22 14:08:40 UTC 
*** Bug 2061532 has been marked as a duplicate of this bug. ***
Comment 15 Rob Crittenden 2022-04-05 13:28:09 UTC 
Upstream PR https://github.com/freeipa/freeipa-healthcheck/pull/255
Comment 16 Rob Crittenden 2022-04-28 16:03:08 UTC 
master: 621a32bb892fa36cb2fd78a3f30f6080300b0bef
Comment 17 Rob Crittenden 2022-04-29 14:58:10 UTC 
ipa-healthcheck-0.7-13.el8
Comment 26 Michal Polovka 2022-05-24 14:21:32 UTC 
Pre-verified using automation in test_replica_promotion.py::TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica.
Package version ihealthcheck-0.7-13.module+el8.7.0+15276+08c45309.noarch from the test compose http://artifacts.osci.redhat.com/comp/rhel-8.7.0-mbs/15276-958-idm/


Excerpt of a log:
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['ipa-healthcheck', '--output-type', 'json', '--failures-only']
transport.py               513 DEBUG    RUN ['ipa-healthcheck', '--output-type', 'json', '--failures-only']
transport.py               558 DEBUG    []
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['ipa-healthcheck', '--output-type', 'json', '--failures-only']
transport.py               513 DEBUG    RUN ['ipa-healthcheck', '--output-type', 'json', '--failures-only']
transport.py               558 DEBUG    []
transport.py               217 DEBUG    Exit code: 0

Full log is available as an attachment of this BZ. Marking as verified: tested.
Comment 30 Michal Polovka 2022-05-27 11:21:19 UTC 
Verified using the automation from test_replica_promotion.py::TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica with the package ipa-healthcheck-0.7-13.module+el8.7.0+15276+08c45309.noarch

Excerpt of the verification log:
transport.py               391 INFO     RUN ['ipa-healthcheck', '--output-type', 'json', '--failures-only']
transport.py               513 DEBUG    RUN ['ipa-healthcheck', '--output-type', 'json', '--failures-only']
transport.py               558 DEBUG    []
transport.py               217 DEBUG    Exit code: 0
transport.py               391 INFO     RUN ['ipa-healthcheck', '--output-type', 'json', '--failures-only']
transport.py               513 DEBUG    RUN ['ipa-healthcheck', '--output-type', 'json', '--failures-only']
transport.py               558 DEBUG    []
transport.py               217 DEBUG    Exit code: 0

Full log is an attachment of this BZ. Marking as verified.
Comment 34 errata-xmlrpc 2022-11-08 09:35:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7540
Note You need to log in before you can comment on or make changes to this bug.