| 2016-11-23 01:41:08 |
GUO Larry |
bug |
|
|
added bug |
| 2017-04-10 19:56:56 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~larsks/cloud-init/+git/cloud-init/+merge/322309 |
|
| 2017-04-28 15:47:49 |
Chad Smith |
bug task added |
|
cloud-init (Ubuntu) |
|
| 2017-04-28 15:48:01 |
Chad Smith |
nominated for series |
|
Ubuntu Artful |
|
| 2017-04-28 15:48:01 |
Chad Smith |
nominated for series |
|
Ubuntu Xenial |
|
| 2017-04-28 15:48:01 |
Chad Smith |
nominated for series |
|
Ubuntu Zesty |
|
| 2017-04-28 15:48:01 |
Chad Smith |
nominated for series |
|
Ubuntu Yakkety |
|
| 2017-05-01 19:59:35 |
Scott Moser |
cloud-init: importance |
Undecided |
Medium |
|
| 2017-05-01 19:59:35 |
Scott Moser |
cloud-init: status |
New |
Fix Committed |
|
| 2017-05-01 19:59:35 |
Scott Moser |
cloud-init: assignee |
|
Lars Kellogg-Stedman (larsks) |
|
| 2017-05-01 20:03:24 |
Scott Moser |
bug task added |
|
cloud-init (Ubuntu Artful) |
|
| 2017-05-01 20:03:36 |
Scott Moser |
cloud-init (Ubuntu Artful): status |
New |
Fix Released |
|
| 2017-05-02 01:37:05 |
Chad Smith |
description |
In my deploy image, the default permission of sshd_config file is 600. It always be changed to 644 after cloud-init run. After debug, it is caused by cloud-config item:
ssh_pwauth: true
The related code is:
lines = [str(l) for l in new_lines]
util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines))
of file cc_set_passwords.py.
write_file function use default mask 644 to write sshd_config. So my file permission changed.
It shall be enhanced to read old sshd_config permission and write new sshd_config with old permission to avoid security issue. |
=== Begin SRU Template ===
[Impact]
Existing security permissions on /etc/ssh/sshd_config file are not honored.
[Test Case]
wget https://git.launchpad.net/~smoser/cloud-init/+git/sru-info/plain/bin/lxc-proposed-snapshot
chmod 755 lxc-proposed-snapshot
# create config.yaml
cat config.yaml
#cloud-config
ssh_pwauth: true
name=proposed-test
for release in xenial yakkety zesty; do \
ref=$release-proposed;
lxc-proposed-snapshot --proposed --publish $release $ref;
lxc init $ref $name;
lxc start $name;
sleep 10;
lxc file pull $name/etc/ssh/sshd_config .;
chmod 600 sshd_config;
lxc file push sshd_config $name/etc/ssh/sshd_config;
lxc config set $name user.user-data - < config.yml;
lxc start;
sleep 10;
lxc exec $name ls -ltr /etc/ssh/sshd_config; # should remain 600
lxc stop $name;
lxc delete $name;
done
[Regression Potential]
Minimal as we are now honoring file permissions if an sshd_config file exists.
[Other Info]
=== End SRU Template ===
In my deploy image, the default permission of sshd_config file is 600. It always be changed to 644 after cloud-init run. After debug, it is caused by cloud-config item:
ssh_pwauth: true
The related code is:
lines = [str(l) for l in new_lines]
util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines))
of file cc_set_passwords.py.
write_file function use default mask 644 to write sshd_config. So my file permission changed.
It shall be enhanced to read old sshd_config permission and write new sshd_config with old permission to avoid security issue. |
|
| 2017-05-04 19:43:35 |
Rakesh Rana |
bug |
|
|
added subscriber Rakesh Rana |
| 2017-05-05 13:59:35 |
Scott Moser |
bug task added |
|
cloud-init (Ubuntu Zesty) |
|
| 2017-05-05 13:59:36 |
Scott Moser |
bug task added |
|
cloud-init (Ubuntu Yakkety) |
|
| 2017-05-05 13:59:37 |
Scott Moser |
bug task added |
|
cloud-init (Ubuntu Xenial) |
|
| 2017-05-05 14:00:00 |
Scott Moser |
cloud-init (Ubuntu Xenial): status |
New |
Confirmed |
|
| 2017-05-05 14:00:02 |
Scott Moser |
cloud-init (Ubuntu Yakkety): status |
New |
Confirmed |
|
| 2017-05-05 14:00:04 |
Scott Moser |
cloud-init (Ubuntu Zesty): status |
New |
Confirmed |
|
| 2017-05-05 14:00:08 |
Scott Moser |
cloud-init (Ubuntu Xenial): importance |
Undecided |
Medium |
|
| 2017-05-05 14:00:10 |
Scott Moser |
cloud-init (Ubuntu Yakkety): importance |
Undecided |
Medium |
|
| 2017-05-05 14:00:12 |
Scott Moser |
cloud-init (Ubuntu Zesty): importance |
Undecided |
Medium |
|
| 2017-05-05 14:00:15 |
Scott Moser |
cloud-init (Ubuntu Artful): importance |
Undecided |
Medium |
|
| 2017-05-08 19:04:25 |
Steve Langasek |
cloud-init (Ubuntu Xenial): status |
Confirmed |
Fix Committed |
|
| 2017-05-08 19:04:29 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2017-05-08 19:04:31 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
| 2017-05-08 19:04:36 |
Steve Langasek |
tags |
|
verification-needed |
|
| 2017-05-11 20:29:48 |
Steve Langasek |
cloud-init (Ubuntu Yakkety): status |
Confirmed |
Fix Committed |
|
| 2017-05-11 20:36:48 |
Steve Langasek |
cloud-init (Ubuntu Zesty): status |
Confirmed |
Fix Committed |
|
| 2017-05-11 20:54:26 |
Chad Smith |
description |
=== Begin SRU Template ===
[Impact]
Existing security permissions on /etc/ssh/sshd_config file are not honored.
[Test Case]
wget https://git.launchpad.net/~smoser/cloud-init/+git/sru-info/plain/bin/lxc-proposed-snapshot
chmod 755 lxc-proposed-snapshot
# create config.yaml
cat config.yaml
#cloud-config
ssh_pwauth: true
name=proposed-test
for release in xenial yakkety zesty; do \
ref=$release-proposed;
lxc-proposed-snapshot --proposed --publish $release $ref;
lxc init $ref $name;
lxc start $name;
sleep 10;
lxc file pull $name/etc/ssh/sshd_config .;
chmod 600 sshd_config;
lxc file push sshd_config $name/etc/ssh/sshd_config;
lxc config set $name user.user-data - < config.yml;
lxc start;
sleep 10;
lxc exec $name ls -ltr /etc/ssh/sshd_config; # should remain 600
lxc stop $name;
lxc delete $name;
done
[Regression Potential]
Minimal as we are now honoring file permissions if an sshd_config file exists.
[Other Info]
=== End SRU Template ===
In my deploy image, the default permission of sshd_config file is 600. It always be changed to 644 after cloud-init run. After debug, it is caused by cloud-config item:
ssh_pwauth: true
The related code is:
lines = [str(l) for l in new_lines]
util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines))
of file cc_set_passwords.py.
write_file function use default mask 644 to write sshd_config. So my file permission changed.
It shall be enhanced to read old sshd_config permission and write new sshd_config with old permission to avoid security issue. |
=== Begin SRU Template ===
[Impact]
Existing security permissions on /etc/ssh/sshd_config file are not honored.
[Test Case]
wget https://git.launchpad.net/~smoser/cloud-init/+git/sru-info/plain/bin/lxc-proposed-snapshot
chmod 755 lxc-proposed-snapshot
# create config.yaml
cat config.yaml
#cloud-config
ssh_pwauth: true
name=proposed-test
for release in xenial yakkety zesty; do \
ref=$release-proposed;
lxc-proposed-snapshot --proposed --publish $release $ref;
lxc init $ref $name;
lxc file pull $name/etc/ssh/sshd_config .;
chmod 600 sshd_config;
lxc file push sshd_config $name/etc/ssh/sshd_config;
lxc config set $name user.user-data - < config.yml;
lxc start;
sleep 10;
lxc exec $name ls -ltr /etc/ssh/sshd_config; # should remain 600
lxc stop $name;
lxc delete $name;
done
[Regression Potential]
Minimal as we are now honoring file permissions if an sshd_config file exists.
[Other Info]
=== End SRU Template ===
In my deploy image, the default permission of sshd_config file is 600. It always be changed to 644 after cloud-init run. After debug, it is caused by cloud-config item:
ssh_pwauth: true
The related code is:
lines = [str(l) for l in new_lines]
util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines))
of file cc_set_passwords.py.
write_file function use default mask 644 to write sshd_config. So my file permission changed.
It shall be enhanced to read old sshd_config permission and write new sshd_config with old permission to avoid security issue. |
|
| 2017-05-11 20:57:18 |
Chad Smith |
tags |
verification-needed |
verification-done-xenial verification-needed |
|
| 2017-05-12 19:35:47 |
Chad Smith |
tags |
verification-done-xenial verification-needed |
verification-done-xenial verification-done-yakkety verification-done-zesty |
|
| 2017-05-17 02:58:17 |
Launchpad Janitor |
cloud-init (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
| 2017-05-17 02:58:46 |
Chris Halse Rogers |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2017-05-17 03:07:38 |
Launchpad Janitor |
cloud-init (Ubuntu Yakkety): status |
Fix Committed |
Fix Released |
|
| 2017-05-17 03:14:07 |
Launchpad Janitor |
cloud-init (Ubuntu Zesty): status |
Fix Committed |
Fix Released |
|
| 2017-09-23 02:14:29 |
Scott Moser |
cloud-init: status |
Fix Committed |
Fix Released |
|
| 2023-05-10 19:04:44 |
James Falcon |
bug watch added |
|
https://github.com/canonical/cloud-init/issues/2770 |
|
