Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-16343

'corosync-qnetd-certutil -i' creates nssdb with wrong permissions if /etc/corosync/qnetd doesn't exist

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-8.8.0, rhel-9.2.0
    • corosync-qdevice
    • None
    • None
    • None
    • rhel-ha
    • 4
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      Upon installing, corosync-qnetd package creates /etc/corosync/qnetd directory for qnetd certificates database with permissions set to 0770 coroqnetd:coroqnetd. If this directory is removed and then 'corosync-qnetd-certutil -i' is run, the directory ís created with wrong permissions. This prevents qnetd to start.

      Please provide the package NVR for which bug is seen:

      • corosync-qnetd-3.0.2-2.el9_2
      • corosync-qnetd-3.0.2-2.el8

      How reproducible:

      always, easily

      Steps to reproduce

      1. # dnf install corosync-qnetd
      1. # ls -la /etc/corosync/qnetd/
total 8
drwxrwx---. 2 coroqnetd coroqnetd 4096 Mar 23  2023 .
drwxr-xr-x. 5 root      root      4096 Nov 13 13:14 ..
      1. # rmdir /etc/corosync/qnetd/
      1.   
        # corosync-qnetd-certutil -i
Creating /etc/corosync/qnetd/nssdb
Creating new key and cert db
password file contains no data
Creating new noise file /etc/corosync/qnetd/nssdb/noise.txt
Creating new CA

Generating key.  This may take a few moments...
Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]?

Generating key.  This may take a few moments...
Notice: Trust flag u is set automatically if the private key is present.
QNetd CA certificate is exported as /etc/corosync/qnetd/nssdb/qnetd-cacert.crt

      1. # ls -la /etc/corosync/qnetd/
total 12
drwxr-xr-x. 3 root root 4096 Nov 13 13:16 .
drwxr-xr-x. 5 root root 4096 Nov 13 13:16 ..
drwxrwx---. 2 root root 4096 Nov 13 13:16 nssdb
      1. # systemctl start corosync-qnetd.service
Job for corosync-qnetd.service failed because the control process exited with error code.
See "systemctl status corosync-qnetd.service" and "journalctl -xeu corosync-qnetd.service" for details.
      1. # journalctl -xeu corosync-qnetd.service
Nov 13 13:17:08 rh92-node1 corosync-qnetd[2342]: Can't open NSS DB directory (13): Permission denied

      Expected results

      corosync-qnetd-certutil sets correct ownership of /etc/corosync/qnetd directory ant qnetd is able to start

      Actual results

      corosync-qnetd-certutil sets incorrect ownership of /etc/corosync/qnetd directory ant qnetd is not able to start

              rhn-engineering-jfriesse Jan Friesse
              tojeline@redhat.com Tomas Jelinek
              Jan Friesse Jan Friesse
              Cluster QE Cluster QE
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: