SUSE Support

Here When You Need Us

Custom file security permissions not set during autoyast installation

This document (7024173) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15 Service Pack 1 (SLES 15 SP1)


Situation

An autoyast control file that saves a custom security permissions file and selects its installation, fails to apply the custom changes. The security permission is something other than Easy, Secure and Paranoid.

The /etc/permissions.secure file was copied to /etc/permissions.ultra. In a test case, the /usr/bin/crontab permissions were changed from 0755 to 0700. The updates were applied to the autoyast control file as follows:
  <files config:type="list">
    <config_file>
      <file_path>/etc/permissions.ultra</file_path>
      <file_contents>
<![CDATA[
# Updated security permissions file content
]]>
      </file_contents>
    </config_file>
  </files>

  <security>
    <permission_security>ultra</permission_security>
  </security>

When the installation was complete, the changes had not taken effect.

The same autoyast configuration works fine in SLES12 SP4.

Resolution

A driver update disk (DUD) with a yast2-security package version greater than yast2-security-4.1.2-6.56 is required to fix the issue. The fix also requires the addition of a post-installation script in the autoyast control file that runs chkstat.

1. Add the following section to your autoyast control file within the <scripts> tag.
    <post-scripts config:type="list">
      <script>
        <filename>update_perms.sh</filename>
        <interpreter>shell</interpreter>
        <source><![CDATA[#!/bin/bash
chkstat --system --set
]]>
        </source>
      </script>
    </post-scripts>

2. Start the installation with a DUD file obtained from SUSE Customer Service. This is done by booting from the installation media, selecting Installation and including the DUD= parameter with the path to the updated yast2-security package.

Cause

Due to fixes of another issue, the order of writing security settings changed. This made it necessary to run chkstat again in the autoyast control file.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7024173
  • Creation Date: 08-Oct-2019
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.