-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
rhel-10.2
-
-
None
-
Critical
-
rhel-image-mode
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
When building an updated bootc image file ownership gets broken for sssd not respecting group sssd. File timestamps are also wrong.
I expect that customer will be using same workflow to build images with updated packages including security erratas so this is a major breakage that needs to be addressed.
rpm-ostree:
Version: '2025.12'
Git: 96c25f9653b3c60bb5177d8c9a4467fb7c94e8d5
Reproducer:
1. (Re)build image updating sssd package in the process like using podman build and similar dockerfile:
# Run a sssd-client
FROM images.paas.redhat.com/bootc/rhel-bootc:latest-10.2
RUN cat <<REPOEOF >> /etc/yum.repos.d/updates.repo
[updates]
name=updates
baseurl=<updates repo url>
enabled=1
gpgcheck=0
repo_gpgcheck=0
REPOEOF
RUN dnf -y install cloud-init && \
systemctl enable cloud-init
RUN echo "LABEL=root / ext4 defaults 0 1" >> /etc/fstab
RUN dnf -y install qemu-guest-agent && \
systemctl enable qemu-guest-agent
RUN dnf -y install sssd && \
systemctl enable sssd
RUN dnf -y install policycoreutils-python-utils sssd-kcm sssd-tools sssd-dbus \
libsss_autofs rsync firewalld autofs krb5-workstation openldap-clients ipa-client \
oddjob oddjob-mkhomedir realmd sssd-idp sssd-passkey nss-tools certmonger \
kernel-modules-extra
RUN dnf update -y
2. Deploy image on machine
Expected result:
Binaries under /usr/libexec/sssd/ that do not have o+x are owned by root:sssd:
# ls -la /usr/libexec/sssd/ celkem 1868 drwxr-xr-x. 1 root root 294 5. lis 20.39 . drwxr-xr-x. 1 root root 10012 26. pro 18.46 .. -rwxr-x---. 1 root sssd 139880 20. ?íj 02.00 krb5_child -rwxr-x---. 1 root sssd 48952 20. ?íj 02.00 ldap_child -rwxr-x---. 1 root sssd 28200 20. ?íj 02.00 proxy_child -rwxr-xr-x. 1 root root 73328 20. ?íj 02.00 p11_child -rwxr-xr-x. 1 root root 182712 20. ?íj 02.00 sssd_autofs -rwxr-xr-x. 1 root root 253584 20. ?íj 02.00 sssd_be -rwxr-xr-x. 1 root root 15848 20. ?íj 02.00 sssd_check_socket_activated_responders -rwxr-xr-x. 1 root root 215696 20. ?íj 02.00 sssd_kcm -rwxr-xr-x. 1 root root 258208 20. ?íj 02.00 sssd_nss -rwxr-x---. 1 root sssd 285984 20. ?íj 02.00 sssd_pam -rwxr-xr-x. 1 root root 190888 20. ?íj 02.00 sssd_ssh -rwxr-xr-x. 1 root root 190944 20. ?íj 02.00 sssd_sudo -rwxr-xr-x. 1 root root 11720 20. ?íj 02.00 sss_signal
Actual result:
Ownership is broken not respecting the group ownership by sssd and as a result the service is dead.
# ls -la /usr/libexec/sssd/ total 2624 drwxr-xr-x. 2 root root 4096 Jan 1 1970 . drwxr-xr-x. 37 root root 4096 Jan 1 1970 .. -rwxr-xr-x. 3 root root 40688 Jan 1 1970 gpo_child -rwxr-x---. 3 root root 144176 Jan 1 1970 krb5_child -rwxr-x---. 3 root root 53192 Jan 1 1970 ldap_child -rwxr-xr-x. 3 root root 61440 Jan 1 1970 oidc_child -rwxr-xr-x. 3 root root 73472 Jan 1 1970 p11_child -rwxr-xr-x. 3 root root 57176 Jan 1 1970 passkey_child -rwxr-x---. 3 root root 32440 Jan 1 1970 proxy_child -rwxr-x---. 3 root root 32504 Jan 1 1970 selinux_child -rwxr-xr-x. 4 root root 73 Jan 1 1970 sss_analyze -rwxr-xr-x. 3 root root 15888 Jan 1 1970 sss_signal -rwxr-xr-x. 3 root root 190960 Jan 1 1970 sssd_autofs -rwxr-xr-x. 3 root root 265968 Jan 1 1970 sssd_be -rwxr-xr-x. 3 root root 15920 Jan 1 1970 sssd_check_socket_activated_responders -rwxr-xr-x. 3 root root 285728 Jan 1 1970 sssd_ifp -rwxr-xr-x. 3 root root 215712 Jan 1 1970 sssd_kcm -rwxr-xr-x. 3 root root 270864 Jan 1 1970 sssd_nss -rwxr-xr-x. 3 root root 194928 Jan 1 1970 sssd_pac -rwxr-x---. 3 root root 310720 Jan 1 1970 sssd_pam -rwxr-xr-x. 3 root root 195056 Jan 1 1970 sssd_ssh -rwxr-xr-x. 3 root root 199192 Jan 1 1970 sssd_sudo
- links to
