OpenStack Compute (nova)

Injected authorized_keys file permissions are too permissive

Bug #1107908 reported by Yaniv Kaul on 2013-01-28

10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Medium	Davanum Srinivas (DIMS)	OpenStack Compute (nova) 2013.1 "grizzly"

Bug Description

when injecting SSH keys, the permissions set file the file are too permissive:
Tested on Folsom on Red Hat, the selinux labeling seems OK, I'm not happy with the permissions though:
-rw-r--r--. root root system_u:object_r:ssh_home_t:s0 authorized_keys

Why is it world readable?

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-01-28:

#1

Looks fine to me. That's what the RedHat doc asks you to do:

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-ssh-configuration-keypairs.html

Please reopen if you still disagree.

Changed in nova:
status:	New → Won't Fix

Revision history for this message

Yaniv Kaul (ykaul) wrote on 2013-01-28:

#2

Re-opening, I suspect it's a documentation bug. Opened https://bugzilla.redhat.com/show_bug.cgi?id=905108 about it.
http://www.openssh.org/faq.html#3.14 makes much more sense to me.

Revision history for this message

Yaniv Kaul (ykaul) wrote on 2013-01-28:

#3

Not sure how to re-open (for some reason can't pick a different status).

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-01-28:

#4

Re-opened for you.

Do you know what mechanism you are using to inject those keys ? Cloud-init (post-boot customization) ? Or File injection (preboot customization) ?

Changed in nova:
status:	Won't Fix → New
status:	New → Incomplete

Revision history for this message

Yaniv Kaul (ykaul) wrote on 2013-01-28:

#5

I've used file injection.

Revision history for this message

Thierry Carrez (ttx) wrote on 2013-01-28:

#6

Confirm that we are certainly using default mask at nova/virt/disk/api.py

Changed in nova:
importance:	Undecided → Medium
status:	Incomplete → Confirmed

Revision history for this message

Richard Jones (rjones-redhat) wrote on 2013-01-28:

#7

Right .. note that in libguestfs the default umask is defined as 022.
http://libguestfs.org/guestfs.3.html#umask

If you want to make files with other permissions you either have to change
this umask (ie. call self.handle.umask somewhere), or else call self.handle.chmod
on the file afterwards.
http://libguestfs.org/guestfs.3.html#guestfs_umask
http://libguestfs.org/guestfs.3.html#guestfs_chmod

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-01-29: Fix proposed to nova (master)

#8

Fix proposed to branch: master
Review: https://review.openstack.org/20663

Changed in nova:
assignee:	nobody → Davanum Srinivas (DIMS) (dims-v)
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-01-29: Fix merged to nova (master)

#9

Reviewed: https://review.openstack.org/20663
Committed: http://github.com/openstack/nova/commit/f57b61de71b2eaa31d889f7147968f8db4892e47
Submitter: Jenkins
Branch: master

commit f57b61de71b2eaa31d889f7147968f8db4892e47
Author: Davanum Srinivas <email address hidden>
Date: Mon Jan 28 20:23:53 2013 -0500

Fix authorized_keys file permissions

Explicitly set the file permissions to be 0600

Fixes LP# 1107908

Change-Id: Ife44deff41959180d31e7e88c29233e9b8cb0af2

Changed in nova:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2013-02-21

Changed in nova:
milestone:	none → grizzly-3
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-04-04

Changed in nova:
milestone:	grizzly-3 → 2013.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

redhat-bugs #905108
[CLOSED CURRENTRELEASE] Edit

Bug watches keep track of this bug in other bug trackers.