Insecure key file permissions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
curtin |
Fix Released
|
High
|
Unassigned | ||
curtin (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
High
|
Unassigned | ||
Utopic |
Fix Released
|
High
|
Unassigned | ||
Vivid |
Fix Released
|
High
|
Unassigned |
Bug Description
=== SRU Information ===
[Impact]
Systems installed using curtin inadvertantly have a default set of acl applied
to the root directory. Those default acl can wreak havoc with seemingly
sane expectations of users or packages or administrators.
For example, the problem that was noticed essentially boiled down to a
program doing:
( umask 0066 ; rm -f secret-file; echo "passw0rd" > secret-file )
and then later that program checked permissions of the file
and found:
$ ls -l secret-file
-rw-r--r-- 1 smoser smoser 0 Oct 27 12:00 secret-file
instead of
-rw------- 1 smoser smoser 0 Oct 27 12:00 secret-file
And raised exception.
This is not at all an unreasonable expectation.
Essentially, this boils down to all packages not being ready to handle
having filesystem ACL in place. Additionally curtin did not intend on
installing the target with default ACLs that was a unexpected behavior of
tar (raised in bug 1386237)
[Test Case]
* Install system with MAAS and fast path installer (curtin).
* mkdir /tmp/mydir
* cd /tmp/mydir
* ( umask 0066 ; rm -f secret-file; echo "passw0rd" > secret-file )
* ls -l secret-file
Expected output is that file has 600 permissions. Failure case, is 644.
[Regression Potential]
Fairly small chance for regression as the tar files created for consumption
are not created with acl information inside. Generally ubuntu installations
do not have default ACL in place on /, and thus the change creates less
chance for unexpected behavior than is currently present.
[Other Info]
This bug is not actually present in the version of curtin in trusty.
However, the fix for this issue is in the code added to fix bug 1313550.
The bug is present in utopic's version of curtin.
=== End SRU Information ===
openstack-dashboard 1:2014.
Got this during installation with the charm:
(...)
2014-10-17 17:17:07 INFO install Setting up openstack-dashboard (1:2014.
2014-10-17 17:17:07 INFO install Collecting and compressing static assets...
2014-10-17 17:17:07 INFO install Traceback (most recent call last):
2014-10-17 17:17:07 INFO install File "manage.py", line 25, in <module>
2014-10-17 17:17:07 INFO install execute_
2014-10-17 17:17:07 INFO install File "/usr/lib/
2014-10-17 17:17:07 INFO install utility.execute()
2014-10-17 17:17:07 INFO install File "/usr/lib/
2014-10-17 17:17:07 INFO install self.fetch_
2014-10-17 17:17:07 INFO install File "/usr/lib/
2014-10-17 17:17:07 INFO install commands = get_commands()
2014-10-17 17:17:07 INFO install File "/usr/lib/
2014-10-17 17:17:07 INFO install apps = settings.
2014-10-17 17:17:07 INFO install File "/usr/lib/
2014-10-17 17:17:07 INFO install self._setup(name)
2014-10-17 17:17:07 INFO install File "/usr/lib/
2014-10-17 17:17:07 INFO install self._wrapped = Settings(
2014-10-17 17:17:07 INFO install File "/usr/lib/
2014-10-17 17:17:07 INFO install mod = importlib.
2014-10-17 17:17:07 INFO install File "/usr/lib/
2014-10-17 17:17:07 INFO install __import__(name)
2014-10-17 17:17:07 INFO install File "/usr/share/
2014-10-17 17:17:07 INFO install from local.local_
2014-10-17 17:17:07 INFO install File "/usr/share/
2014-10-17 17:17:07 INFO install SECRET_KEY = secret_
2014-10-17 17:17:07 INFO install File "/usr/lib/
2014-10-17 17:17:07 INFO install raise FilePermissionE
2014-10-17 17:17:07 INFO install horizon.
2014-10-17 17:17:07 INFO install dpkg: error processing package openstack-dashboard (--configure):
2014-10-17 17:17:07 INFO install subprocess installed post-installation script returned error exit status 1
2014-10-17 17:17:07 INFO install dpkg: dependency problems prevent configuration of openstack-
2014-10-17 17:17:07 INFO install openstack-
2014-10-17 17:17:07 INFO install Package openstack-dashboard is not configured yet.
2014-10-17 17:17:07 INFO install
2014-10-17 17:17:07 INFO install dpkg: error processing package openstack-
2014-10-17 17:17:07 INFO install dependency problems - leaving unconfigured
2014-10-17 17:17:07 INFO install No apport report written because the error message indicates its a followup error from a previous failure.
2014-10-17 17:17:07 INFO install Errors were encountered while processing:
2014-10-17 17:17:07 INFO install openstack-dashboard
2014-10-17 17:17:07 INFO install openstack-
2014-10-17 17:17:08 INFO install E: Sub-process /usr/bin/dpkg returned an error code (1)
Full logs attached.
tags: | added: openstack |
summary: |
- Insecure key file permissions + Insecure key file permissions when running under LXC |
summary: |
- Insecure key file permissions when running under LXC + Insecure key file permissions |
Changed in curtin (Ubuntu): | |
status: | New → Confirmed |
no longer affects: | horizon (Ubuntu Trusty) |
no longer affects: | horizon (Ubuntu Utopic) |
description: | updated |
Changed in curtin (Ubuntu Utopic): | |
status: | New → Confirmed |
Changed in curtin (Ubuntu Trusty): | |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in curtin (Ubuntu Utopic): | |
importance: | Undecided → High |
Changed in curtin (Ubuntu Vivid): | |
importance: | Undecided → High |
description: | updated |
tags: | added: oil |
Changed in horizon (Ubuntu Vivid): | |
status: | Confirmed → Invalid |
no longer affects: | horizon (Ubuntu) |
no longer affects: | horizon (Ubuntu Vivid) |
The secret_key file is created when python manage.py collectstatic is run, it seems.
We have two packages that run this command in postinst: openstack- dashboard- ubuntu- theme and openstack- dashboard. In this scenario, -ubuntu-theme is installed first. It runs that command in postinst, the file is created, and apparently with the incorrect permissions: 0644
Then openstack-dashboard runs it again, and this time the secret_key file already exists, and it complains about the incorrect permissions.