Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 892394

Summary: gofer/pulp-cds Synchronized content is owned root:root resulting in Permission Denied with umask
Product: Red Hat Update Infrastructure for Cloud Providers Reporter: Nigel Jones <nigjones>
Component: CDSAssignee: James Slagle <jslagle>
Status: CLOSED ERRATA QA Contact: mkovacik
Severity: unspecified Docs Contact:
Priority: high    
Version: 2.1CC: hartsjc, jmoran, juwu, mmariani, vkuznets, whayutin
Target Milestone: ---   
Target Release: 2.1.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
On systems with a non-default umask, goferd may create files that are inaccessible to other components of RHUI. This fix updates goferd and sets its umask to 022 so CDS content is accessible via pulp-cds.
 Story Points: ---
Clone Of:
: 928801 (view as bug list) Environment:
Last Closed: 2013-02-27 17:03:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 928801    

Description Nigel Jones 2013-01-07 01:20:24 UTC 
Description of problem:
goferd runs as uid/gid 0 on RHUI CDS nodes.  If a umask of 027 (or any umask that prevents world-read) is present in /etc/sysconfig/init or similar, then files will not be accessible to the pulp-cds wsgi instance running as 'apache'.

Version-Release number of selected component (if applicable):
RHUI 2.1 (from latest cdn.redhat.com download)

How reproducible:
100%

Steps to Reproduce:
1. Install RHEL 6 onto a server as a CDS
2. Edit /etc/sysconfig/init, and insert "umask 027" (NIST SCAP/hardening recommendations - CCE-4220-0) to the end of the file
3. ./install_CDS.sh from the RHUI ISO
4. Install the RHUI CDS RPM from rhui-installer
5. Force a sync from rhui-manager of the CDS cluster
6. Observe permissions in /etc/pki/pulp/content
  
Actual results:

pulp-protected-repos and associated files/directories are created with user:group set to root:root, and due to the umask, inaccessible by the apache (pulp WSGI app) user.


Expected results:

Files to be created 640, directories 750, but owned apache:apache or similar.

Additional info:

While a umask may not be strictly supported with RHUI, I think this is worthy of a bug, based on:

 - gofer/cdsplugin appears to have no content of dropping privileges from root:root (it seems to me that for a remote messaging trigger, it would be imperative that there be a local "pluginX must run as userX, groupX and not root:root" database.
 - It appears that gofer is used in other RH products (including System Engine) so they may have a dependency on such expectations.
 - Based on how the RHUA is populated and the pulp .spec file, it seems that these files should really be apache:apache.

At the moment, we have recommended to our customer:

"""
My recommendation at this point, is not to change the file ownership to apache:apache as this may conflict with future changes, as a workaround my preferred recommendation is to either manually set a more traditional umask for the goferd init script, or manually update the permissions to allow world-read on the synced files.
"""
Comment 1 James Slagle 2013-01-25 21:48:58 UTC 
gofer runs as root and thus all plugins do too.  That's just a limitation of it currently.  And, I prefer not to be chown'ing everything to apache;apache everytime the cds sync runs.

I agree with your recommendation that setting umask 022 in the gofer init script is the best course of action here.  It preserves the intent that these files are root owned, yet world readable.
Comment 2 James Slagle 2013-01-25 21:52:01 UTC 
commit dda2705049fde735e44615367e4d3063fc784eea
Comment 4 Vitaly Kuznetsov 2013-02-04 13:24:53 UTC 
[root@cds1 ~]# rpm -qf /etc/init.d/goferd 
gofer-0.65.rhui-1.el6_3.noarch
[root@cds1 ~]# grep umask /etc/sysconfig/init 
umask 027
[root@cds1 ~]# ls -la /etc/pki/pulp/content/
total 24
drwxrwxr-x. 4 apache apache 4096 Feb  4 04:21 .
drwxrwxr-x. 4 apache apache 4096 Feb  4 04:14 ..
drwxr-xr-x. 2 root   root   4096 Feb  4 04:21 cp_1
-rw-r--r--. 1 root   root    108 Feb  4 08:03 pulp-protected-repos
-rw-r--r--. 1 root   root   1241 Feb  4 08:03 pulp-server-ca.crt
drwxr-xr-x. 2 root   root   4096 Feb  4 04:19 rhel-x86_64-6-rhui-2-rpms-6Server-x86_64
Comment 5 James Slagle 2013-02-14 14:43:40 UTC 
Why does this bug need to be private?
Comment 8 errata-xmlrpc 2013-02-27 17:03:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0571.html