Bug 2188743 - Tangd-keygen does not handle different umask
Summary: Tangd-keygen does not handle different umask
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: tang
Version: 8.0
Hardware: All
OS: All
high
unspecified
Target Milestone: rc
: ---
Assignee: Sergio Arroutbi
QA Contact: Patrik Koncity
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-04-21 23:37 UTC by Direct Docs Feedback
Modified: 2023-07-24 06:30 UTC (History)
6 users (show)

Fixed In Version: tang-7-8.el8
Doc Type: Known Issue
Doc Text:
.`tangd-keygen` does not handle non-default `umask` correctly The `tangd-keygen` script does not change file permissions for generated key files. Consequently, on systems with a default user file-creation mode mask (`umask`) that prevents reading keys to other users, the `tang-show-keys` command returns the error message `Internal Error 500` instead of displaying the keys. To work around the problem, use the `chmod o+r *.jwk` command to change permissions on the files in the `/var/db/tang` directory.
Clone Of:
Environment:
Last Closed:
Type: ---
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-155439 0 None None None 2023-04-21 23:39:36 UTC
Red Hat Issue Tracker SECENGSP-5175 0 None None None 2023-04-28 10:54:08 UTC

Description Direct Docs Feedback 2023-04-21 23:37:31 UTC 
Depending on root's umask, the key files might be generated with perm 600. 

Need to set perm bits or ownership so that the keys are readable by the 'tang' user otherwise tang-show-keys returns Internal Error 500. 

Reported by: carolw-nac

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening#annotations:88f1f22b-5b64-437b-9ea4-eaef9a23d210
Note You need to log in before you can comment on or make changes to this bug.