Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1702426
Description of problem: File permissions from the rpm do not match the runtime permissions on several files. This results in mode failures on rpm -Va. Most noticed on systems in which DISA STIG is being performed and file permissions should not be less than the rpm provides or it is considered a finding during an audit. Important for government users and contractors who will be performing DISA STIG. Version-Release number of selected component (if applicable): initscripts-9.49.46-1.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Install and configure ipa server 2. rpm -V ipa-server-common Actual results: The following files have permissions that are more permissive than the rpm provides: /var/lib/ipa/pki-ca/publish /var/lib/kdcproxy /var/named/dyndb-ldap/ipa Expected results: The file permissions provided via rpm should match the final runtime permissions (or they should be less restrictive on the rpm than the runtime permissions, which would not result in a finding). Additional info: The following output shows what it "should be" according to the rpm, as well as what it "actually is" after the package has been installed. This could be resolved by using the proper permissions in the spec file, so that rpm -Va will not flag on these files. From rpm: ipa-server-common-4.6.4-10.el7_6.3.noarch /var/lib/ipa/pki-ca/publish SHOULD BE: 000 ACTUALLY IS: 775 -- From rpm: ipa-server-common-4.6.4-10.el7_6.3.noarch /var/lib/kdcproxy SHOULD BE: 000 ACTUALLY IS: 700 -- From rpm: ipa-server-common-4.6.4-10.el7_6.3.noarch /var/named/dyndb-ldap/ipa SHOULD BE: 000 ACTUALLY IS: 770
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1702426
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/3144
master:
ipa-4-7:
ipa-4-6:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.