As of 0.9 freeipa-healthcheck warns about owner/group and mode for log files ( https://github.com/freeipa/freeipa-healthcheck/commit/9d6c6a8cb524fb4c10a55d04fa0f6cedecfecd27).
After RPM upgrade of freeipa-client the healthcheck complains about:
RPM
freeipa-client
{ "source": "ipahealthcheck.ipa.files", "check": "IPAFileCheck", "result": "WARNING", "uuid": "25522ca8-e3fd-4379-809a-8668aef1304f", "when": "20210625110511Z", "duration": "0.007291", "kw": { "key": "_var_log_ipaupgrade.log_mode", "path": "/var/log/ipaupgrade.log", "type": "mode", "expected": "0600", "got": "0644", "msg": "Permissions of /var/log/ipaupgrade.log are too permissive: 0644 and should be 0600" } },
Actual permissions:
[root@0bda3f5520bb /]# ls -la /var/log/ipa* -rw------- 1 root root 76993 Jun 25 11:02 /var/log/ipaclient-install.log -rw-r--r-- 1 root root 0 Jun 25 10:58 /var/log/ipa-custodia.audit.log -rw------- 1 root root 4067784 Jun 25 11:02 /var/log/ipaserver-install.log -rw-r--r-- 1 root root 0 Jun 25 11:04 /var/log/ipaupgrade.log
Why not 0600:
0600
[root@0bda3f5520bb /]# rpm -q --scripts freeipa-client | grep /var/log/ipaupgrade.log /usr/bin/python3 -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1 /usr/bin/python3 -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1
It seems umask during RPM scriplet running is 022.
022
I wonder what the best approach to fix this is. I have two ideas:
The first is a bit more code but has clear intentions. The second will also fix existing installs and is a one-liner.
The first approach affects child processes (python -c) and has potential negative side effects, though both configure_krb5_snippet and update_ipa_nssdb manage filesystem permissions atm. The second one is cleaner in my opinion.
python -c
configure_krb5_snippet
update_ipa_nssdb
Metadata Update from @rcritten: - Issue assigned to rcritten
https://github.com/freeipa/freeipa/pull/6189
master:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2061957
Issue linked to bug 2061957
Login to comment on this ticket.