ondemand-gems-4.0.7-1-4.0.7-1 RPM creating world writeable directories.

[bviviano]

After updating our RHEL8 systems from 3.1.16 to 4.0.7, we started getting compliance alerts from our system monitoring tools that alerted us that 2 directories installed by ondemand-gems-4.0.7-1-4.0.7-1 were set to mode 777:

# ls -al /opt/ood/ondemand/root/usr/share/gems/3.3/ondemand/4.0.7-1/gems/rack-2.2.10/lib/rack/auth/abstract
total 8
drwxrwxrwx. 2 root root  80 Oct 22 05:54 .
drwxr-xr-x. 4 root root 100 Oct 22 05:54 ..
-rw-r--r--. 1 root root 814 Aug 15 11:04 handler.rb
-rw-r--r--. 1 root root 833 Aug 15 11:04 request.rb

# ls -al /opt/ood/ondemand/root/usr/share/gems/3.3/ondemand/4.0.7-1/gems/net-imap-0.3.7/lib/net
total 92
drwxrwxrwx. 3 root root    80 Oct 22 05:54 .
drwxr-xr-x. 3 root root    60 Oct 22 05:54 ..
drwxr-xr-x. 4 root root   240 Oct 22 05:54 imap
-rw-r--r--. 1 root root 93416 Aug 15 11:05 imap.rb

We've manually adjusted the permissions back to 755, which is what they were on 3.1.X and earlier. Please fix the issue with the next update.

Thanks!

[johrstrom]

@treydock how can we fix this? chmod -R 755 doesn't sound so nice. Is there an RPM directive we can use?

[treydock]

I'm not seeing that on our systems:

[tdockendorf@web02 ~]$ ls -al /opt/ood/ondemand/root/usr/share/gems/3.3/ondemand/4.0.7-1/gems/rack-2.2.10/lib/rack/auth/abstract
total 16
drwxr-xr-x 2 root root 4096 Aug 27 09:11 .
drwxr-xr-x 4 root root 4096 Aug 27 09:11 ..
-rw-r--r-- 1 root root  814 Aug 15 11:04 handler.rb
-rw-r--r-- 1 root root  833 Aug 15 11:04 request.rb

[tdockendorf@web02 ~]$ ls -la /opt/ood/ondemand/root/usr/share/gems/3.3/ondemand/4.0.7-1/gems/net-imap-0.3.7/lib/net
total 104
drwxr-xr-x 3 root root  4096 Aug 27 09:11 .
drwxr-xr-x 3 root root  4096 Aug 27 09:11 ..
drwxr-xr-x 4 root root  4096 Aug 27 09:11 imap
-rw-r--r-- 1 root root 93416 Aug 15 11:05 imap.rb

@bviviano Could you run this and verify the RPM contents are unchange?

[tdockendorf@web02 ~]$ rpm -V ondemand-gems-4.0.7-1-4.0.7-1.el9.x86_64
[tdockendorf@web02 ~]$

I verified if I modify the permissions, RPM sees this:

[tdockendorf@web02 ~]$ sudo chmod 0777 /opt/ood/ondemand/root/usr/share/gems/3.3/ondemand/4.0.7-1/gems/rack-2.2.10/lib/rack/auth/abstract
[tdockendorf@web02 ~]$ rpm -V ondemand-gems-4.0.7-1-4.0.7-1.el9.x86_64
.M.......    /opt/ood/ondemand/root/usr/share/gems/3.3/ondemand/4.0.7-1/gems/rack-2.2.10/lib/rack/auth/abstract

[treydock]

Ah I checked a RHEL8 system, and I see the issue:

[tdockendorf@web04 ~]$ ls -la /opt/ood/ondemand/root/usr/share/gems/3.3/ondemand/4.0.7-1/gems/rack-2.2.10/lib/rack/auth/abstract
total 16
drwxrwxrwx 2 root root 4096 Aug 27 09:12 .
drwxr-xr-x 4 root root 4096 Aug 27 09:12 ..
-rw-r--r-- 1 root root  814 Aug 15 11:04 handler.rb
-rw-r--r-- 1 root root  833 Aug 15 11:04 request.rb

It's strange that RHEL8 has this issue but not RHEL9.

We could try something like this for gems package

%files -n %{gems_name}
%defattr(644, root, root, 755)
%{gem_home}/*

[bviviano]

We're running RHEL8 not 9, so maybe that's the problem

# rpm -V ondemand-gems-4.0.7-1-4.0.7-1.el8.x86_64
.M.......    /opt/ood/ondemand/root/usr/share/gems/3.3/ondemand/4.0.7-1/gems/net-imap-0.3.7/lib/net
.M.......    /opt/ood/ondemand/root/usr/share/gems/3.3/ondemand/4.0.7-1/gems/rack-2.2.10/lib/rack/auth/abstract

This is because I already chmod 755 the 2 directories

# ls -ld /opt/ood/ondemand/root/usr/share/gems/3.3/ondemand/4.0.7-1/gems/net-imap-0.3.7/lib/net /opt/ood/ondemand/root/usr/share/gems/3.3/ondemand/4.0.7-1/gems/rack-2.2.10/lib/rack/auth/abstract
drwxr-xr-x. 3 root root 80 Oct 22 05:54 /opt/ood/ondemand/root/usr/share/gems/3.3/ondemand/4.0.7-1/gems/net-imap-0.3.7/lib/net
drwxr-xr-x. 2 root root 80 Oct 22 05:54 /opt/ood/ondemand/root/usr/share/gems/3.3/ondemand/4.0.7-1/gems/rack-2.2.10/lib/rack/auth/abstract

If I change them back, no findings

# chmod 777 /opt/ood/ondemand/root/usr/share/gems/3.3/ondemand/4.0.7-1/gems/net-imap-0.3.7/lib/net /opt/ood/ondemand/root/usr/share/gems/3.3/ondemand/4.0.7-1/gems/rack-2.2.10/lib/rack/auth/abstract
# ls -ld /opt/ood/ondemand/root/usr/share/gems/3.3/ondemand/4.0.7-1/gems/net-imap-0.3.7/lib/net /opt/ood/ondemand/root/usr/share/gems/3.3/ondemand/4.0.7-1/gems/rack-2.2.10/lib/rack/auth/abstract
drwxrwxrwx. 3 root root 80 Oct 22 05:54 /opt/ood/ondemand/root/usr/share/gems/3.3/ondemand/4.0.7-1/gems/net-imap-0.3.7/lib/net
drwxrwxrwx. 2 root root 80 Oct 22 05:54 /opt/ood/ondemand/root/usr/share/gems/3.3/ondemand/4.0.7-1/gems/rack-2.2.10/lib/rack/auth/abstract
# rpm -V ondemand-gems-4.0.7-1-4.0.7-1.el8.x86_64
# 

[bviviano]

Also, I installed this on 2 separate / independent RHEL8 systems with the same results, it's only these 2 directories that are impacted.