permission denied when executing dhclient in Ec2 datasource
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-init |
Fix Released
|
High
|
Chad Smith | ||
cloud-init (Ubuntu) |
Fix Released
|
High
|
Ubuntu Security Team |
Bug Description
in the ec2 datasource, cloud-init runs dhclient from a tmp file in order to avoid apparmor restrictions and side affects.
In a change for bug 1707222 we started using /run/cloud-init for tmpfiles.
/run is mounted noexec. See example:
$ sudo /run/cloud-
sudo: unable to execute /run/cloud-
So, we need a tmp file in a place that allows execution.
Related bugs:
* bug 1709772: Enable ipv6 support on EC2
* bug 1707222: usage of /tmp during boot is not safe may get files deleted.
* bug 1717627: permission denied executing dhclient from /run
Related branches
- Scott Moser: Approve
- Server Team CI bot: Approve (continuous-integration)
- Dimitri John Ledkov (community): Needs Information
-
Diff: 249 lines (+132/-16)5 files modifiedcloudinit/net/dhcp.py (+3/-2)
cloudinit/net/tests/test_dhcp.py (+12/-6)
cloudinit/temp_utils.py (+15/-7)
cloudinit/tests/test_temp_utils.py (+101/-0)
cloudinit/util.py (+1/-1)
Changed in cloud-init: | |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in cloud-init (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in cloud-init: | |
assignee: | nobody → Chad Smith (chad.smith) |
status: | Confirmed → In Progress |
milestone: | none → 0.7.10 |
Changed in cloud-init: | |
status: | In Progress → Fix Committed |
I would hope that init/tmp/ cloud-init- dhcp-bs6g4xkw/ dhcp.leases -pf /run/cloud- init/tmp/ cloud-init- dhcp-bs6g4xkw/ dhclient. pid eth0 -sf /bin/true
$ sudo /sbin/dhclient -1 -v -lf /run/cloud-
Should work fine.
And if /run/cloud- init/tmp/ dhclient is not just a copy of /sbin/dhclient, then it should be shipped in the package as /usr/lib/ cloud-init/ dhclient or some-such. With an apparmor profile applied to it.
dhclient is something that could be remotely exploited, thus protecting it - even if for cloud-init Ec2Local initialisation would be nice.
Can you attach the contents of /run/cloud- init/tmp/ dhclient ? Can you elaborate on "in order to avoid apparmor restrictions and side affects"? Is this in fact a bug in Ubuntu stock apparmor profiles?