We use maxscale in our environment and run into some issues about compliance. Our organization has security implemented based on the PCI-DSS security guidelines.
One of these checks is the following: Verify and Correct File Permissions with RPM
This check verifies if the files that are in the RPM have the same permissions/ownership as when they are installed on the filesystem.
Unfortunately this check fails on the maxscale package. The problem specifically is the /var/lib/maxscale directory.
This directory has root ownership in the rpm, but the post-script of the rpm changes this to maxscale.
You can verify this yourself by installing macxscale and running this command:
$ rpm -Va --nofiledigest | grep -e [MUG] | grep maxscale
When I look at the scripting the RPM does, I can see it creates the directory and then changes ownership to it, see below output from maxscale post-install-script:
- MAXSCALE_VARDIR is an absolute path to /var by default
mkdir -p /var/log/maxscale
mkdir -p /var/lib/maxscale
mkdir -p /var/cache/maxscale
mkdir -p /var/run/maxscale
- Create MaxScale user
if [ -f "/etc/passwd" ] && [ "$(grep -c 'maxscale' /etc/passwd)" -eq 0 ]
groupadd -r maxscale
useradd -r -s /bin/false -g maxscale maxscale
- Change the owner of the directories to maxscale:maxscale
chown -R maxscale:maxscale /var/log/maxscale
chown -R maxscale:maxscale /var/lib/maxscale
chown -R maxscale:maxscale /var/cache/maxscale
chown -R maxscale:maxscale /var/run/maxscale
chmod 0755 /var/log/maxscale
chmod 0755 /var/lib/maxscale
chmod 0755 /var/cache/maxscale
chmod 0755 /var/run/maxscale
When looking at the filelist from the rpm I the list end with these three directories:
In other words, the directory itself is specified in the spec file, but not with file attributes set to 0775 and not as ownership set to maxscale.
There are two ways to solve this issue:
1) Remove the directory itself from the specfile. The directory will be created in the post-install script, so no need to specify it in the spec file. If it's not mentioned in the spec file, the RPM check has nothing to match against, and thus my PCI-DSS check will proceed successfully.
2) Move the creation of the maxscale user to pre-install instead of postinstall, and set the correct file attributes/permissions in the specfile on the maxscale directories/files. This way you can also remove all chown's from the post-install scriptlet.
Will it be possible for you to apply one of these changes in upcoming maxscale releases so we can be PCI compliant the correct way. If I reset the ownership back to root maxscale won't run, so I have to leave it at maxscale ownership, on which my compliancy check fails.