Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1691544 - rootless unable to access subscription
Summary: rootless unable to access subscription
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: subscription-manager
Version: 8.0
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: 8.1
Assignee: candlepin-bugs
QA Contact: Red Hat subscription-manager QE Team
URL:
Whiteboard:
Depends On: 1690514
Blocks: 1691543
TreeView+ depends on / blocked
 
Reported: 2019-03-21 20:59 UTC by Qian Cai
Modified: 2019-04-09 19:36 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1690514
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Comment 1 Chris Snyder 2019-03-22 15:53:17 UTC
Was the last step "subscription-manager ?:  chmod o+r /etc/pki/entitlement/1939799096719564946-key.pem" necessary for you to successfully access your subscription?

My suspicion is that the issue in access to the subscription was that podman was not mounting the directory to which we expect entitlements to be written to from the host.
As such I highly doubt there is anything that should be changed in subscription-manager.

We shouldn't be making the entitlement certs accessible to all others. They should remain readable by root only.

Comment 2 Qian Cai 2019-03-22 16:01:22 UTC
(In reply to Chris Snyder from comment #1)
> Was the last step "subscription-manager ?:  chmod o+r
> /etc/pki/entitlement/1939799096719564946-key.pem" necessary for you to
> successfully access your subscription?

Yes, it is necessary.

Comment 3 Daniel Walsh 2019-03-22 16:39:52 UTC
If you need the subscription key file in order to install packages inside of a RHEL container, 
then in order to use it for rootless users, it needs to be readable by them.
As a compromize could we make it readable to a group.  Say create an imagebuilders group.
Then the admin could add any users to that group to be able to build from it.

I don't think this is an issue with non-rootless containers, since we are actually 
copying the content into the container images at container creation time.

What is the risk of a non privileged user getting access to this file?

Comment 10 Daniel Walsh 2019-04-05 13:25:17 UTC
Ok so we need to get an updated subsriptions-manager package that adds a "packager" group, And then sets the ownership of the certs to 
740 root packager


Note You need to log in before you can comment on or make changes to this bug.