Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-67901

Warn in ipa-healthcheck if umask is not 022

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • ipa-healthcheck-0.16-7.el9
    • No
    • Low
    • 3
    • rhel-idm-ipa
    • ssg_idm
    • 2
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • 2025-Q1-Bravo-S6, 2025-Q2-Bravo-S2, 2025-Q2-Alpha-S6
    • Unspecified Release Note Type - Unknown
    • None

      1. umask is set to 027 in /etc/login.defs

      2. ipa-healthcheck keeps reverting to the wrong permissions at each ipa stop/start:

      ERROR: ipahealthcheck.ipa.files.IPAFileCheck._run_ipa_services.list_mode: Permissions of /run/ipa/services.list are too restrictive: 0640 and should be 0644 

      We noticed that this happened after the patching to ipa-server-4.11.0-15.el9_4.x86_64. It seems ipa-healthcheck understand 0640 to be an error but it’s what “ipactl start” wants it to be, from the strace:

      openat(AT_FDCWD, "/run/ipa/services.list", O_RDONLY|O_CLOEXEC) = 5
      fstat(5, {st_mode=S_IFREG|0640, st_size=89, ...}) = 0 

              rhn-engineering-rcrit Rob Crittenden
              rhn-support-qpham Quynh Anh Pham
              Rob Crittenden Rob Crittenden
              Sudhir Menon Sudhir Menon
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: