search

SUSE / rmt

RPM repository mirroring tool and registration proxy for SUSE Customer Center.
Other
38 stars 45 forks source link

Fix secrets file access mode - for real! #1064

Closed felixsch closed 11 months ago

felixsch commented 11 months ago

Description

The problem is that the file permission where originally wrong and breaks RMT completely because it can not read the secrets. This fixes the permissions for both files without relying on handling this in the spec file where it should not be handled anyway.

image

original:

-rwxr-xr-x 1 root root  1277 Dec 12 05:42 /usr/share/rmt/config/secrets.yml
-rw-r--r-- 1 root nginx  280 Jan  2 13:52 /usr/share/rmt/config/secrets.yml.enc
-rw------- 1 root nginx   32 Jan  2 13:52 /usr/share/rmt/config/secrets.yml.key

but we need due to hardening:

-rwxr-xr-x 1 root root  1277 Dec 12 05:42 /usr/share/rmt/config/secrets.yml
-rw-r----- 1 root nginx  280 Jan  2 13:52 /usr/share/rmt/config/secrets.yml.enc
-rw-r----- 1 root nginx   32 Jan  2 13:52 /usr/share/rmt/config/secrets.yml.key

see: https://bugzilla.suse.com/show_bug.cgi?id=1215176

Fixes file permission for config/secrets.yml.key and config/secrets.yml.enc to 0640 during fresh install.

part of: https://trello.com/c/hL2IyVT1/3061-fix-rmt-server-install-creates-secretsymlkey-with-root-owner fixed version of: https://github.com/SUSE/rmt/pull/1062

How to test this pull request:

$ docker run --rm -it registry.suse.com/suse/sle15:15.4
> zypper ar https://download.opensuse.org/repositories/systemsmanagement:/SCC:/RMT/SLE_15_SP4/systemsmanagement:SCC:RMT.repo
> zypper refresh
> zypper in rmt-server
> ls -la /usr/share/rmt/config
# expect: File permissions for .enc and .key are 0640

Thank you for reviewing this pull request :rocket:

suse-tests-pass commented 11 months ago

Well Done! Your tests are still passing. https://ci.suse.de/job/scc-RMT-integration-tests/351568/console If the given link has expired,you can force a Prophet rerun by just deleting this comment. (Merged 6b0381b6e8f38aedef5e65ed7a3fcba73e9ae9ba into 40dd490a960f56cb2b641696bf5495eace3a8a7d)

felixsch commented 11 months ago

Afaiks this will only fix fresh installations. Systems that already have the secret files with wrong permissions will not get fixed by this patch.

This is done by the update script which has been fixed as well.

See: https://github.com/SUSE/rmt/blob/6b0381b6e8f38aedef5e65ed7a3fcba73e9ae9ba/package/files/update_rmt_app_dir_permissions.sh#L27