Closed carlosrodfern closed 6 months ago
It looks that it is going to be rather related with the fact that the targeted machine is CIS level 2 hardened.
CIS hardened machines have the umask
set to 027
. This is the cause of the issue I posted above.
The workaround is to create the tmt
folder fresh ahead of the test and set the acl accordingly for the others
:
setfacl -d -m o:r /var/tmp/tmt
Thanks for filing the issue and looking forward to the PR. What is an easy way to get CIS level 2 hardened
VM?
@lukaszachy , this is what I use to harden machines: https://github.com/orgs/ansible-lockdown/repositories
But it may be reproduceable by just adding umask
to the /etc/profile
file:
https://github.com/ansible-lockdown/RHEL9-CIS/blob/f56e5d33d9e3a5fc64414832c222b3bc045d26df/tasks/section_5/cis_5.6.x.yml#L83
There is also an ACL change: https://github.com/ansible-lockdown/RHEL9-CIS/blob/8405e67db24ae0c2389ba5ba7312c02b687b3494/tasks/section_6/cis_6.2.x.yml#L354
I added STRs and better description of the problem.
The cause of this bug is because the test results are owned by
root:root
when usingbecome
and the permissions are---
forothers
. So when thersync
is executed with the non-root user, it fails because the non-root user doesn't have the needed access. This is the case because on a CIS hardened machine, the umask is set globally to 0027.I'll be providing a PR.
Steps to Reproduce:
umask 0027
to/etc/profile
and/etc/bashrc
on the targeted machine (e.g. a CentOS Stream 9 QCOW2)tmt init -t base
tmt -vv run -a provision --how=connect --guest=<ip> --user=<user> --become --key=<key>
Result (ip=192.168.122.166, user=centos):
The permissions:
As mentioned in the comments, the workaround is to create
/var/tmp/tmt
ahead of time in the targeted machine and use ACL to override theumask
:setfacl -d -m o:r /var/tmp/tmt
, or perhaps better:setfacl -d -m o:rX /var/tmp/tmt
to ensure directory access when needed.