Etcd Charm

client.key and server.key are readable by user 1000

Bug #1997531 reported by Nobuto Murata
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Etcd Charm
Fix Released
High
Samuel Allan
Etcd Charm 1.26+ck2

Bug Description

How to reproduce:

$ juju deploy --series focal \
    -n 3 \
    etcd \
    --config channel=3.4/stable

$ juju ssh etcd/0 -- ls -alF /var/snap/etcd/common/

total 40
drwxrwx--- 2 root ubuntu 4096 Nov 23 06:19 ./
drwxr-xr-x 4 root root 4096 Nov 23 05:25 ../
-r--r----- 1 root ubuntu 1220 Nov 23 06:19 ca.crt
-r--r----- 1 root ubuntu 4435 Nov 23 06:19 client.crt
-r--r----- 1 root ubuntu 1703 Nov 23 06:19 client.key
-r--r--r-- 1 root ubuntu 3982 Nov 23 06:19 etcd.conf.yml
-r--r----- 1 root ubuntu 4758 Nov 23 07:30 server.crt
-r--r----- 1 root ubuntu 1704 Nov 23 07:30 server.key

etcd is running as a root user, read permission to the ubuntu(1000) user is not necessary.

root 41533 0.0 0.3 11946580 34420 ? Ssl 07:30 0:13 /snap/etcd/230/bin/etcd --config-file /var/snap/etcd/common/etcd.conf.yml

Revision history for this message
Nobuto Murata (nobuto) wrote :

I think the part of the code can be different layer than etcd:
https://github.com/charmed-kubernetes/layer-tls-client/blob/main/reactive/tls_client.py

George Kraft (cynerva)
Changed in charm-etcd:
status: New → Triaged
importance: Undecided → High
Samuel Allan (samuelallan)
Changed in charm-etcd:
assignee: nobody → Samuel Walladge (swalladge)
status: Triaged → In Progress
Revision history for this message
Samuel Allan (samuelallan) wrote :
Download full text (3.9 KiB)

It's possible that these files being readable by the ubuntu user is by design. The environment is configured here so etcdctl can be run as the ubuntu user: https://github.com/swalladge/layer-etcd/blob/60c755e56867e7c2508c21559193386ea6dc3ec6/reactive/etcd.py#L632-L645

Also with some experimenting today, it seems that something other than the tls-client layer is manipulating the file permissions. After updating the tls-client layer with new permissions and logging the os.stat output (which shows as expected), the files are still the same as before:

```
swalladge@server:~$ juju debug-log -i etcd --replay | grep -i writ
...
unit-etcd-0: 05:51:33 INFO unit.etcd/0.juju-log certificates:70: Writing client certificate to /var/snap/etcd/common/client.crt
unit-etcd-0: 05:51:33 INFO unit.etcd/0.juju-log certificates:70: Written /var/snap/etcd/common/client.crt, stat: os.stat_result(st_mode=33056, st_ino=1057374, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1443, st_atime=1674539493, st_mtime=1674539493, st_ctime=1674539493)
unit-etcd-0: 05:51:34 DEBUG unit.etcd/0.juju-log certificates:70: tracer: set flag tls_client.client.certificate.written
unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Writing client key to /var/snap/etcd/common/client.key
unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Written /var/snap/etcd/common/client.key, stat: os.stat_result(st_mode=33056, st_ino=1057392, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1678, st_atime=1674539494, st_mtime=1674539494, st_ctime=1674539494)
unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Writing CA certificate to /var/snap/etcd/common/ca.crt
unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Written /var/snap/etcd/common/ca.crt, stat: os.stat_result(st_mode=33056, st_ino=1057393, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1245, st_atime=1674539494, st_mtime=1674539494, st_ctime=1674539494)
unit-etcd-0: 05:51:34 DEBUG unit.etcd/0.juju-log certificates:70: tracer: set flag tls_client.ca.written
unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Writing CA certificate to /usr/local/share/ca-certificates/etcd.crt
unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Written /usr/local/share/ca-certificates/etcd.crt, stat: os.stat_result(st_mode=33060, st_ino=805100, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1245, st_atime=1674539494, st_mtime=1674539494, st_ctime=1674539494)
unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Writing server certificate to /var/snap/etcd/common/server.crt
unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Written /var/snap/etcd/common/server.crt, stat: os.stat_result(st_mode=33056, st_ino=1057394, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1496, st_atime=1674539494, st_mtime=1674539494, st_ctime=1674539494)
unit-etcd-0: 05:51:34 DEBUG unit.etcd/0.juju-log certificates:70: tracer: set flag tls_client.server.certificate.written
unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Writing server key to /var/snap/etcd/common/server.key
unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certific...

Read more...

Revision history for this message
Samuel Allan (samuelallan) wrote :

Addressing this with https://github.com/charmed-kubernetes/layer-etcd/pull/206 - see the description there for more information. :)

George Kraft (cynerva)
Changed in charm-etcd:
status: In Progress → Fix Committed
milestone: none → 1.26+ck2
Kevin W Monroe (kwmonroe)
tags: added: backport-needed
Revision history for this message
Kevin W Monroe (kwmonroe) wrote :

Backported with https://github.com/charmed-kubernetes/layer-etcd/commit/10aab5f7c485ebfdd94b3b9292dbefb42479b0c5

tags: removed: backport-needed
Kevin W Monroe (kwmonroe)
Changed in charm-etcd:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.