Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix secrets file access mode - for real! #1064

Merged
merged 2 commits into from
Jan 4, 2024
Merged

Fix secrets file access mode - for real! #1064

merged 2 commits into from
Jan 4, 2024

Conversation

felixsch
Copy link
Contributor

@felixsch felixsch commented Jan 4, 2024
edited
Loading

Description

The problem is that the file permission where originally wrong and breaks RMT completely because it can not read the secrets. This fixes the permissions for both files without relying on handling this in the spec file where it should not be handled anyway.

image

original:

-rwxr-xr-x 1 root root  1277 Dec 12 05:42 /usr/share/rmt/config/secrets.yml
-rw-r--r-- 1 root nginx  280 Jan  2 13:52 /usr/share/rmt/config/secrets.yml.enc
-rw------- 1 root nginx   32 Jan  2 13:52 /usr/share/rmt/config/secrets.yml.key

but we need due to hardening:

-rwxr-xr-x 1 root root  1277 Dec 12 05:42 /usr/share/rmt/config/secrets.yml
-rw-r----- 1 root nginx  280 Jan  2 13:52 /usr/share/rmt/config/secrets.yml.enc
-rw-r----- 1 root nginx   32 Jan  2 13:52 /usr/share/rmt/config/secrets.yml.key

see: https://bugzilla.suse.com/show_bug.cgi?id=1215176

Fixes file permission for config/secrets.yml.key and config/secrets.yml.enc to 0640 during fresh install.

part of: https://trello.com/c/hL2IyVT1/3061-fix-rmt-server-install-creates-secretsymlkey-with-root-owner
fixed version of: #1062

How to test this pull request:

$ docker run --rm -it registry.suse.com/suse/sle15:15.4
> zypper ar https://download.opensuse.org/repositories/systemsmanagement:/SCC:/RMT/SLE_15_SP4/systemsmanagement:SCC:RMT.repo
> zypper refresh
> zypper in rmt-server
> ls -la /usr/share/rmt/config
# expect: File permissions for .enc and .key are 0640

Thank you for reviewing this pull request 🚀

@suse-tests-pass
Copy link
Collaborator

Well Done! Your tests are still passing.
https://ci.suse.de/job/scc-RMT-integration-tests/351568/console
If the given link has expired,you can force a Prophet rerun by just deleting this comment. (Merged 6b0381b into 40dd490)

digitaltom
digitaltom approved these changes Jan 4, 2024
View reviewed changes
Copy link
Member

@digitaltom digitaltom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Afaiks this will only fix fresh installations. Systems that already have the secret files with wrong permissions will not get fixed by this patch.

@felixsch
Copy link
Contributor Author

felixsch commented Jan 4, 2024
edited
Loading

Afaiks this will only fix fresh installations. Systems that already have the secret files with wrong permissions will not get fixed by this patch.

This is done by the update script which has been fixed as well.

See:

rmt/package/files/update_rmt_app_dir_permissions.sh

Line 27 in 6b0381b

chmod 0640 $file_path

@felixsch felixsch merged commit 9f151f0 into master Jan 4, 2024
3 checks passed
@felixsch felixsch deleted the fix_secrets_file_access_mode-again branch January 4, 2024 14:13
@josegomezr josegomezr mentioned this pull request Jan 4, 2024
Merged
9 tasks
@felixsch felixsch mentioned this pull request Jan 4, 2024
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@digitaltom digitaltom digitaltom approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@felixsch @suse-tests-pass @digitaltom