Issue #8899: healthcheck 0.9 warns about permissions of /var/log/ipaupgrade.log - freeipa

freeipa

#8899 healthcheck 0.9 warns about permissions of /var/log/ipaupgrade.log

Closed: fixed 2 years ago by frenaud. Opened 2 years ago by slev.

As of 0.9 freeipa-healthcheck warns about owner/group and mode for log files ( https://github.com/freeipa/freeipa-healthcheck/commit/9d6c6a8cb524fb4c10a55d04fa0f6cedecfecd27).

After RPM upgrade of freeipa-client the healthcheck complains about:

  {
    "source": "ipahealthcheck.ipa.files",
    "check": "IPAFileCheck",
    "result": "WARNING",
    "uuid": "25522ca8-e3fd-4379-809a-8668aef1304f",
    "when": "20210625110511Z",
    "duration": "0.007291",
    "kw": {
      "key": "_var_log_ipaupgrade.log_mode",
      "path": "/var/log/ipaupgrade.log",
      "type": "mode",
      "expected": "0600",
      "got": "0644",
      "msg": "Permissions of /var/log/ipaupgrade.log are too permissive: 0644 and should be 0600"
    }
  },

Actual permissions:

[root@0bda3f5520bb /]# ls -la /var/log/ipa*
-rw------- 1 root root   76993 Jun 25 11:02 /var/log/ipaclient-install.log
-rw-r--r-- 1 root root       0 Jun 25 10:58 /var/log/ipa-custodia.audit.log
-rw------- 1 root root 4067784 Jun 25 11:02 /var/log/ipaserver-install.log
-rw-r--r-- 1 root root       0 Jun 25 11:04 /var/log/ipaupgrade.log

Why not 0600:

[root@0bda3f5520bb /]# rpm -q --scripts freeipa-client | grep /var/log/ipaupgrade.log
        /usr/bin/python3 -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
        /usr/bin/python3 -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1

It seems umask during RPM scriplet running is 022.

rcritten commented 2 years ago

I wonder what the best approach to fix this is. I have two ideas:

Wrap these two calls with: old=$(umask) ... umask $old
A chmod 0660 /var/log/ipaupgrade.log after both are done

The first is a bit more code but has clear intentions.
The second will also fix existing installs and is a one-liner.

slev commented 2 years ago

The first approach affects child processes (python -c) and has potential negative side effects, though both configure_krb5_snippet and update_ipa_nssdb manage filesystem permissions atm. The second one is cleaner in my opinion.

Metadata Update from @rcritten:
- Issue assigned to rcritten

2 years ago

rcritten commented 2 years ago

https://github.com/freeipa/freeipa/pull/6189

frenaud commented 2 years ago

master:

56708d6 Set the mode on ipaupgrade.log during RPM %post snipppet

frenaud commented 2 years ago

ipa-4-9:

d8174b0 Set the mode on ipaupgrade.log during RPM %post snipppet

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2061957

2 years ago

frenaud commented 2 years ago

Issue linked to bug 2061957

Metadata

Assignee

rcritten

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=2061957

tester

None

changelog

None

design

None

freeipa

Source Code

#8899 healthcheck 0.9 warns about permissions of /var/log/ipaupgrade.log Closed: fixed 2 years ago by frenaud. Opened 2 years ago by slev.

Metadata

#8899 healthcheck 0.9 warns about permissions of /var/log/ipaupgrade.log

Closed: fixed 2 years ago by frenaud. Opened 2 years ago by slev.