Dominic Cleal reports Description of problem: katello-configure generates a bootstrap RPM for installation on clients to be connected to the Katello server. This contains a CA certificate for Candlepin which has a mode set of 0666, permitting other users on a client system to modify the CA used to trust the remote Katello server. The RPM is named after the FQDN of the Katello server, e.g. candlepin-cert-consumer-$FQDN # ll /etc/rhsm/ca/candlepin-local.pem -rw-rw-rw-. 1 root root 5385 Nov 12 16:21 /etc/rhsm/ca/candlepin-local.pem # rpm -qalv candlepin-cert-consumer-\* -rw-rw-rw- 1 root root 5385 Nov 12 16:21 /etc/rhsm/ca/candlepin-local.pem Version-Release number of selected component (if applicable): Tested on 1.1 release, verified code present in git master. How reproducible: Always. Steps to Reproduce: 1. install Katello (https://fedorahosted.org/katello/wiki/Install) 2. run: katello-configure 3. run: rpm -qplv /var/www/html/pub/candlepin-cert-consumer-*noarch.rpm Actual results: -rw-rw-rw- 1 root root 5385 Nov 12 16:21 /etc/rhsm/ca/candlepin-local.pem Expected results: -rw-r--r-- 1 root root 5385 Nov 12 16:21 /etc/rhsm/ca/candlepin-local.pem Additional info: katello-configure generates the RPM from within the certs::config puppet class: exec { "generate-candlepin-consumer-certificate": cwd => "${katello_www_pub_dir}", command => "gen-rpm.sh --name '${candlepin_consumer_name}' --version 1.0 --release 1 --packager None --vendor None --group 'Applications/System' --summary '${candlepin_consumer_summary}' --description '${candlepin_consumer_description}' --requires subscription-manager --post ${ssl_build_path}/rhsm-katello-reconfigure /etc/rhsm/ca/candlepin-local.pem:666=${ssl_build_path}/$candlepin_cert_name.crt 2>>${katello::params::configure_log_base}/certificates.log && /sbin/restorecon ./*rpm", path => "/usr/share/katello/certs:/usr/bin:/bin", creates => "${katello_www_pub_dir}/${candlepin_consumer_name}-1.0-1.noarch.rpm", require => [Exec["generate-candlepin-certificate"], File["${ssl_build_path}/rhsm-katello-reconfigure"], File["${katello::params::configure_log_base}"]] } In the middle of this command it passes in the permissions "666" to the gen-rpm.sh script, which get put into the RPM spec as the %attr for the CA cert file. The gen-rpm.sh script is also used by katello-ssl-tool, but a quick test shows that this doesn't explicitly set the mode when it generates a CA RPM, so the RPM is generated with the file having default 644 permissions.
*** Bug 876580 has been marked as a duplicate of this bug. ***
Acknowledgements: This issue was discovered by Dominic Cleal and James Laska of Red Hat.
This issue has been addressed in following products: CloudForms for RHEL 6 Via RHSA-2013:0547 https://rhn.redhat.com/errata/RHSA-2013-0547.html
commit 65f1e42b7bda0f3410931c50598540d944d8bf0d Author: Marek Hulan <ares> Date: Tue Jan 22 12:48:10 2013 +0100 877387 - Candlepin CA certificate mode in RPM File mode is set to 0644 when RPM is generated.
Created attachment 701212 [details] Fix for the permissions issue (in installer)
Verified in SAM compose: SAM 1.1 version: * candlepin-0.6.5-1.el6_2.noarch * candlepin-tomcat6-0.6.5-1.el6_2.noarch * elasticsearch-0.18.4-11.el6.noarch * katello-candlepin-cert-key-pair-1.0-1.noarch * katello-certs-tools-1.1.5-1.el6_2.noarch * katello-cli-common-0.3.5-2.el6_2.noarch * katello-cli-headpin-0.2.2-1.el6_2.noarch * katello-common-0.3.3-1.el6_2.noarch * katello-configure-0.3.7-1.el6_2.noarch * katello-glue-candlepin-0.3.3-1.el6_2.noarch * katello-headpin-0.2.13-1.el6_2.noarch * katello-headpin-all-0.2.13-1.el6_2.noarch * katello-selinux-0.2.4-1.el6_2.noarch * thumbslug-0.0.24-1.el6_2.noarch SAM 1.2.1 Version: * candlepin-0.7.24-1.el6_3.noarch * candlepin-cert-consumer-gizmo.idm.lab.bos.redhat.com-1.0-1.noarch * candlepin-selinux-0.7.24-1.el6_3.noarch * candlepin-tomcat6-0.7.24-1.el6_3.noarch * elasticsearch-0.19.9-5.el6_3.noarch * katello-candlepin-cert-key-pair-1.0-1.noarch * katello-certs-tools-1.2.1-1h.el6_3.noarch * katello-cli-1.2.1-12h.el6_3.noarch * katello-cli-common-1.2.1-12h.el6_3.noarch * katello-common-1.2.1.1-1h.el6_4.noarch * katello-configure-1.2.3.1-4h.el6_4.noarch * katello-glue-candlepin-1.2.1.1-1h.el6_4.noarch * katello-headpin-1.2.1.1-1h.el6_4.noarch * katello-headpin-all-1.2.1.1-1h.el6_4.noarch * katello-selinux-1.2.1-2h.el6_3.noarch * thumbslug-0.0.28.1-1.el6_4.noarch * thumbslug-selinux-0.0.28.1-1.el6_4.noarch
This issue has been addressed in following products: Red Hat Subscription Asset Manager 1.2 Via RHSA-2013:0686 https://rhn.redhat.com/errata/RHSA-2013-0686.html
The Red Hat Security Response Team has rated this issue as having moderate security impact in CloudForms 1.1. This issue is not currently planned to be addressed in future updates.