Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-2578

Maxscale RPM issue PCI Compliancy

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.3.8
    • Fix Version/s: 2.3.9, 2.4.1
    • Component/s: Packaging
    • Labels:
      None
    • Environment:
      RPM Linux

      Description

      We use maxscale in our environment and run into some issues about compliance. Our organization has security implemented based on the PCI-DSS security guidelines.
      One of these checks is the following: Verify and Correct File Permissions with RPM

      This check verifies if the files that are in the RPM have the same permissions/ownership as when they are installed on the filesystem.
      Unfortunately this check fails on the maxscale package. The problem specifically is the /var/lib/maxscale directory.
      This directory has root ownership in the rpm, but the post-script of the rpm changes this to maxscale.

      You can verify this yourself by installing macxscale and running this command:
      $ rpm -Va --nofiledigest | grep -e [MUG] | grep maxscale
      .....UG.. /var/lib/maxscale

      When I look at the scripting the RPM does, I can see it creates the directory and then changes ownership to it, see below output from maxscale post-install-script:

      1. MAXSCALE_VARDIR is an absolute path to /var by default
        mkdir -p /var/log/maxscale
        mkdir -p /var/lib/maxscale
        mkdir -p /var/cache/maxscale
        mkdir -p /var/run/maxscale
      1. Create MaxScale user
        if [ -f "/etc/passwd" ] && [ "$(grep -c 'maxscale' /etc/passwd)" -eq 0 ]
        then
        groupadd -r maxscale
        useradd -r -s /bin/false -g maxscale maxscale
        fi
      1. Change the owner of the directories to maxscale:maxscale
        chown -R maxscale:maxscale /var/log/maxscale
        chown -R maxscale:maxscale /var/lib/maxscale
        chown -R maxscale:maxscale /var/cache/maxscale
        chown -R maxscale:maxscale /var/run/maxscale
        chmod 0755 /var/log/maxscale
        chmod 0755 /var/lib/maxscale
        chmod 0755 /var/cache/maxscale
        chmod 0755 /var/run/maxscale

      When looking at the filelist from the rpm I the list end with these three directories:

      /var
      /var/lib
      /var/lib/maxscale

      In other words, the directory itself is specified in the spec file, but not with file attributes set to 0775 and not as ownership set to maxscale.

      There are two ways to solve this issue:

      1) Remove the directory itself from the specfile. The directory will be created in the post-install script, so no need to specify it in the spec file. If it's not mentioned in the spec file, the RPM check has nothing to match against, and thus my PCI-DSS check will proceed successfully.
      2) Move the creation of the maxscale user to pre-install instead of postinstall, and set the correct file attributes/permissions in the specfile on the maxscale directories/files. This way you can also remove all chown's from the post-install scriptlet.

      Will it be possible for you to apply one of these changes in upcoming maxscale releases so we can be PCI compliant the correct way. If I reset the ownership back to root maxscale won't run, so I have to leave it at maxscale ownership, on which my compliancy check fails.

        Attachments

          Activity

            People

            Assignee:
            markus makela markus makela
            Reporter:
            hholzgra Hartmut Holzgraefe
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: