sshd_config file permission changed to 644 if ssh_pwauth value is true or false

Bug #1644064 reported by GUO Larry on 2016-11-23
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
cloud-init
Medium
Lars Kellogg-Stedman
cloud-init (Ubuntu)
Medium
Unassigned
Xenial
Medium
Unassigned
Yakkety
Medium
Unassigned
Zesty
Medium
Unassigned
Artful
Medium
Unassigned

Bug Description

=== Begin SRU Template ===
[Impact]
Existing security permissions on /etc/ssh/sshd_config file are not honored.

[Test Case]

wget https://git.launchpad.net/~smoser/cloud-init/+git/sru-info/plain/bin/lxc-proposed-snapshot
chmod 755 lxc-proposed-snapshot

# create config.yaml
cat config.yaml
#cloud-config
ssh_pwauth: true

name=proposed-test
for release in xenial yakkety zesty; do \
 ref=$release-proposed;
 lxc-proposed-snapshot --proposed --publish $release $ref;
 lxc init $ref $name;
 lxc file pull $name/etc/ssh/sshd_config .;
 chmod 600 sshd_config;
 lxc file push sshd_config $name/etc/ssh/sshd_config;
 lxc config set $name user.user-data - < config.yml;
 lxc start;
 sleep 10;
 lxc exec $name ls -ltr /etc/ssh/sshd_config; # should remain 600
 lxc stop $name;
 lxc delete $name;
done

[Regression Potential]
Minimal as we are now honoring file permissions if an sshd_config file exists.

[Other Info]

=== End SRU Template ===

In my deploy image, the default permission of sshd_config file is 600. It always be changed to 644 after cloud-init run. After debug, it is caused by cloud-config item:

ssh_pwauth: true

The related code is:

        lines = [str(l) for l in new_lines]
        util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines))
of file cc_set_passwords.py.

write_file function use default mask 644 to write sshd_config. So my file permission changed.

It shall be enhanced to read old sshd_config permission and write new sshd_config with old permission to avoid security issue.

Related branches

Scott Moser (smoser) wrote :

Fixed in 721348a622a660b65acfdf7fdf53203b47f80748

Changed in cloud-init:
assignee: nobody → Lars Kellogg-Stedman (larsks)
importance: Undecided → Medium
status: New → Fix Committed
Changed in cloud-init (Ubuntu Artful):
status: New → Fix Released
Chad Smith (chad.smith) on 2017-05-02
description: updated
Scott Moser (smoser) on 2017-05-05
Changed in cloud-init (Ubuntu Xenial):
status: New → Confirmed
Changed in cloud-init (Ubuntu Yakkety):
status: New → Confirmed
Changed in cloud-init (Ubuntu Zesty):
status: New → Confirmed
Changed in cloud-init (Ubuntu Xenial):
importance: Undecided → Medium
Changed in cloud-init (Ubuntu Yakkety):
importance: Undecided → Medium
Changed in cloud-init (Ubuntu Zesty):
importance: Undecided → Medium
Changed in cloud-init (Ubuntu Artful):
importance: Undecided → Medium

Hello GUO, or anyone else affected,

Accepted cloud-init into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cloud-init/0.7.9-113-g513e99e0-0ubuntu1~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in cloud-init (Ubuntu Xenial):
status: Confirmed → Fix Committed
tags: added: verification-needed
Steve Langasek (vorlon) wrote :

Hello GUO, or anyone else affected,

Accepted cloud-init into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cloud-init/0.7.9-113-g513e99e0-0ubuntu1~16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in cloud-init (Ubuntu Yakkety):
status: Confirmed → Fix Committed
Steve Langasek (vorlon) wrote :

Hello GUO, or anyone else affected,

Accepted cloud-init into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cloud-init/0.7.9-113-g513e99e0-0ubuntu1~17.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in cloud-init (Ubuntu Zesty):
status: Confirmed → Fix Committed
Chad Smith (chad.smith) wrote :

Verified xenial keeps sshd_config perms:

$ name=test-proposed
$ release=xenial
$ ref=$release-proposed
$ ./lxc-proposed-snapshot --proposed --publish $release $ref
$ lxc init $ref $name
$ lxc init $ref $name
Creating test-proposed
$ lxc file pull $name/etc/ssh/sshd_config .
$ ls -ltr sshd_config
-rw-r--r-- 1 csmith csmith 2540 May 11 14:54 sshd_config
$ chmod 600 sshd_config
$ ls -ltr sshd_config
-rw------- 1 csmith csmith 2540 May 11 14:54 sshd_config
$ lxc file push sshd_config $name/etc/ssh/sshd_config;
$ cat config.yml
#cloud-config
ssh_pwauth: true
$ lxc config set $name user.user-data - < config.yml;
$ lxc start $name
$ sleep 10
$ lxc exec $name -- ls -ltr /etc/ssh/sshd_config
-rw------- 1 ubuntu ubuntu 2540 May 11 20:55 /etc/ssh/sshd_config
$ lxc exec $name -- dpkg -l cloud-init
...
ii cloud-init 0.7.9-113-g5 all Init scripts for cloud instances

description: updated
tags: added: verification-done-xenial
Chad Smith (chad.smith) wrote :

Validated yakkety and zesty---

cat config.yml
#cloud-config
ssh_pwauth: true
for release in yakkety zesty; do ref=$release-proposed; lxc init $ref $name; lxc file pull $name/etc/ssh/sshd_config .; ls -l sshd_config; chmod 600 sshd_config; lxc file push sshd_config $name/etc/ssh/sshd_config; lxc config set $name user.user-data - < config.yml; lxc start $name; sleep 10; lxc exec $name -- ls -ltr /etc/ssh/sshd_config; lxc exec $name -- dpkg -l cloud-init; lxc exec $name -- grep VERSION= /etc/os-release; lxc stop $name; lxc delete $name; done;
Creating proposed-test
-rw-r--r-- 1 csmith csmith 2506 May 12 13:34 sshd_config
-rw------- 1 ubuntu ubuntu 2506 May 12 19:34 /etc/ssh/sshd_config
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-=================================
ii cloud-init 0.7.9-113-g5 all Init scripts for cloud instances
VERSION="16.10 (Yakkety Yak)"
Creating proposed-test
-rw-r--r-- 1 csmith csmith 3296 May 12 13:35 sshd_config
-rw------- 1 ubuntu ubuntu 3296 May 12 19:35 /etc/ssh/sshd_config
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-=================================
ii cloud-init 0.7.9-113-g5 all Init scripts for cloud instances
VERSION="17.04 (Zesty Zapus)"

tags: added: verification-done-yakkety verification-done-zesty
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cloud-init - 0.7.9-113-g513e99e0-0ubuntu1~16.04.1

---------------
cloud-init (0.7.9-113-g513e99e0-0ubuntu1~16.04.1) xenial-proposed; urgency=medium

  * debian/update-grub-legacy-ec2: fix early exit failure no /etc/fstab
    file. (LP: #1682160)
  * New upstream snapshot.
    - nova-lxd: read product_name from environment, not platform.
      (LP: #1685810)
    - Fix yum repo config where keys contain array values [Dylan Perry]
    - template: Update debian backports template [Joshua Powers]
    - rsyslog: replace ~ with stop [Joshua Powers] (LP: #1367899)
    - Doc: add additional RTD examples [Joshua Powers]
    - Fix growpart for some cases when booted with root=PARTUUID.
      (LP: #1684869)
    - pylint: update output style to parseable [Joshua Powers]
    - pylint: fix all logging warnings [Joshua Powers]
    - CloudStack: Add NetworkManager to list of supported DHCP lease dirs.
      [Syed Mushtaq Ahmed]
    - net: kernel lies about vlans not stealing mac addresses, when they do
      [Dimitri John Ledkov] (LP: #1682871)
    - ds-identify: Check correct path for "latest" config drive
      [Daniel Watkins] (LP: #1673637)
    - doc: Fix example for resolv.conf configuration. [Jon Grimm]
    - Fix examples that reference upstream chef repository. [Jon Grimm]
    - doc: correct grammar and improve clarity in merging documentation.
      [David Tagatac]
    - doc: Add missing doc link to snap-config module. [Ryan Harper]
    - snap: allows for creating cloud-init snap [Joshua Powers]
    - DigitalOcean: assign IPv4ll address to lowest indexed interface.
      [Ben Howard] (LP: #1676908)
    - DigitalOcean: configure all NICs presented in meta-data.
      [Ben Howard] (LP: #1676908)
    - Remove (and/or fix) URL shortener references [Jon Grimm]
    - HACKING.rst: more info on filling out contributors agreement.
    - util: teach write_file about copy_mode option
      [Lars Kellogg-Stedman] (LP: #1644064)
    - DigitalOcean: bind resolvers to loopback interface.
      [Ben Howard] (LP: #1676908)
    - tests: fix AltCloud tests to not rely on blkid (LP: #1636531)

 -- Scott Moser <email address hidden> Thu, 27 Apr 2017 12:51:04 -0400

Changed in cloud-init (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for cloud-init has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cloud-init - 0.7.9-113-g513e99e0-0ubuntu1~16.10.1

---------------
cloud-init (0.7.9-113-g513e99e0-0ubuntu1~16.10.1) yakkety; urgency=medium

  * debian/update-grub-legacy-ec2: fix early exit failure no /etc/fstab
    file. (LP: #1682160)
  * New upstream snapshot.
    - nova-lxd: read product_name from environment, not platform.
      (LP: #1685810)
    - Fix yum repo config where keys contain array values [Dylan Perry]
    - template: Update debian backports template [Joshua Powers]
    - rsyslog: replace ~ with stop [Joshua Powers] (LP: #1367899)
    - Doc: add additional RTD examples [Joshua Powers]
    - Fix growpart for some cases when booted with root=PARTUUID.
      (LP: #1684869)
    - pylint: update output style to parseable [Joshua Powers]
    - pylint: fix all logging warnings [Joshua Powers]
    - CloudStack: Add NetworkManager to list of supported DHCP lease dirs.
      [Syed Mushtaq Ahmed]
    - net: kernel lies about vlans not stealing mac addresses, when they do
      [Dimitri John Ledkov] (LP: #1682871)
    - ds-identify: Check correct path for "latest" config drive
      [Daniel Watkins] (LP: #1673637)
    - doc: Fix example for resolv.conf configuration. [Jon Grimm]
    - Fix examples that reference upstream chef repository. [Jon Grimm]
    - doc: correct grammar and improve clarity in merging documentation.
      [David Tagatac]
    - doc: Add missing doc link to snap-config module. [Ryan Harper]
    - snap: allows for creating cloud-init snap [Joshua Powers]
    - DigitalOcean: assign IPv4ll address to lowest indexed interface.
      [Ben Howard] (LP: #1676908)
    - DigitalOcean: configure all NICs presented in meta-data.
      [Ben Howard] (LP: #1676908)
    - Remove (and/or fix) URL shortener references [Jon Grimm]
    - HACKING.rst: more info on filling out contributors agreement.
    - util: teach write_file about copy_mode option
      [Lars Kellogg-Stedman] (LP: #1644064)
    - DigitalOcean: bind resolvers to loopback interface.
      [Ben Howard] (LP: #1676908)
    - tests: fix AltCloud tests to not rely on blkid (LP: #1636531)

 -- Scott Moser <email address hidden> Thu, 27 Apr 2017 13:38:40 -0400

Changed in cloud-init (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cloud-init - 0.7.9-113-g513e99e0-0ubuntu1~17.04.1

---------------
cloud-init (0.7.9-113-g513e99e0-0ubuntu1~17.04.1) zesty; urgency=medium

  * debian/update-grub-legacy-ec2: fix early exit failure no /etc/fstab
    file. (LP: #1682160)
  * New upstream snapshot.
    - nova-lxd: read product_name from environment, not platform.
      (LP: #1685810)
    - Fix yum repo config where keys contain array values [Dylan Perry]
    - template: Update debian backports template [Joshua Powers]
    - rsyslog: replace ~ with stop [Joshua Powers] (LP: #1367899)
    - Doc: add additional RTD examples [Joshua Powers]
    - Fix growpart for some cases when booted with root=PARTUUID.
      (LP: #1684869)
    - pylint: update output style to parseable [Joshua Powers]
    - pylint: fix all logging warnings [Joshua Powers]
    - CloudStack: Add NetworkManager to list of supported DHCP lease dirs.
      [Syed Mushtaq Ahmed]
    - net: kernel lies about vlans not stealing mac addresses, when they do
      [Dimitri John Ledkov] (LP: #1682871)
    - ds-identify: Check correct path for "latest" config drive
      [Daniel Watkins] (LP: #1673637)
    - doc: Fix example for resolv.conf configuration. [Jon Grimm]
    - Fix examples that reference upstream chef repository. [Jon Grimm]
    - doc: correct grammar and improve clarity in merging documentation.
      [David Tagatac]
    - doc: Add missing doc link to snap-config module. [Ryan Harper]
    - snap: allows for creating cloud-init snap [Joshua Powers]
    - DigitalOcean: assign IPv4ll address to lowest indexed interface.
      [Ben Howard] (LP: #1676908)
    - DigitalOcean: configure all NICs presented in meta-data.
      [Ben Howard] (LP: #1676908)
    - Remove (and/or fix) URL shortener references [Jon Grimm]
    - HACKING.rst: more info on filling out contributors agreement.
    - util: teach write_file about copy_mode option
      [Lars Kellogg-Stedman] (LP: #1644064)
    - DigitalOcean: bind resolvers to loopback interface.
      [Ben Howard] (LP: #1676908)
    - tests: fix AltCloud tests to not rely on blkid (LP: #1636531)

 -- Scott Moser <email address hidden> Thu, 27 Apr 2017 15:09:31 -0400

Changed in cloud-init (Ubuntu Zesty):
status: Fix Committed → Fix Released

This bug is believed to be fixed in cloud-init in 17.1. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

Changed in cloud-init:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers