BugZero | Red Hat BugID RHEL-16343 - 'corosync-qnetd-certutil -i' creates nssdb with wr...

Red Hat - Defect ID: RHEL-16343

'corosync-qnetd-certutil -i' creates nssdb with wrong permissions if /etc/corosync/qnetd doesn't exist

Red Hat - Defect ID: RHEL-16343

'corosync-qnetd-certutil -i' creates nssdb with wrong permissions if /etc/corosync/qnetd doesn't exist

Last updated on 2/17/2025

Overall: 7.67.6

Severity: 8.28.2

Community: 5.55.5

Lifecycle: 6.46.4

What is the BugZero Risk Score?

Vendor details

Priority: Undefined
Status: Planning
Impact Category: corosync-qdevice

Overall: 7.67.6

Severity: 8.28.2

Community: 5.55.5

Lifecycle: 6.46.4

What is the BugZero Risk Score?

Vendor details

Priority: Undefined
Status: Planning
Impact Category: corosync-qdevice

Issue

What were you trying to do that didn't work? Upon installing, corosync-qnetd package creates /etc/corosync/qnetd directory for qnetd certificates database with permissions set to 0770 coroqnetd:coroqnetd. If this directory is removed and then 'corosync-qnetd-certutil -i' is run, the directory ís created with wrong permissions. This prevents qnetd to start. Please provide the package NVR for which bug is seen: corosync-qnetd-3.0.2-2.el9_2 corosync-qnetd-3.0.2-2.el8 How reproducible: always, easily Steps to reproduce # dnf install corosync-qnetd # ls -la /etc/corosync/qnetd/ total 8 drwxrwx---. 2 coroqnetd coroqnetd 4096 Mar 23 2023 . drwxr-xr-x. 5 root root 4096 Nov 13 13:14 .. # rmdir /etc/corosync/qnetd/ # corosync-qnetd-certutil -i Creating /etc/corosync/qnetd/nssdb Creating new key and cert db password file contains no data Creating new noise file /etc/corosync/qnetd/nssdb/noise.txt Creating new CA Generating key. This may take a few moments... Is this a CA certificate [y/N]? Enter the path length constraint, enter to skip [<0 for unlimited path]: > Is this a critical extension [y/N]? Generating key. This may take a few moments... Notice: Trust flag u is set automatically if the private key is present. QNetd CA certificate is exported as /etc/corosync/qnetd/nssdb/qnetd-cacert.crt # ls -la /etc/corosync/qnetd/ total 12 drwxr-xr-x. 3 root root 4096 Nov 13 13:16 . drwxr-xr-x. 5 root root 4096 Nov 13 13:16 .. drwxrwx---. 2 root root 4096 Nov 13 13:16 nssdb # systemctl start corosync-qnetd.service Job for corosync-qnetd.service failed because the control process exited with error code. See "systemctl status corosync-qnetd.service" and "journalctl -xeu corosync-qnetd.service" for details. # journalctl -xeu corosync-qnetd.service Nov 13 13:17:08 rh92-node1 corosync-qnetd[2342]: Can't open NSS DB directory (13): Permission denied Expected results corosync-qnetd-certutil sets correct ownership of /etc/corosync/qnetd directory ant qnetd is able to start Actual results corosync-qnetd-certutil sets incorrect ownership of /etc/corosync/qnetd directory ant qnetd is not able to start

Release Notes

No. of Comments

Resolution

Unresolved

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Red Hat - Defect ID: RHEL-16343

'corosync-qnetd-certutil -i' creates nssdb with wrong permissions if /etc/corosync/qnetd doesn't exist

Red Hat - Defect ID: RHEL-16343

'corosync-qnetd-certutil -i' creates nssdb with wrong permissions if /etc/corosync/qnetd doesn't exist

Last updated on 2/17/2025

Vendor details

Vendor details

Description

Issue

Release Notes

No. of Comments

Resolution

Links

Top Red Hat defects by risk score

Ready to prevent the next vendor outage?