subiquity

INSECURE permissions for Ubuntu Netplan YAML on installer execution, cloud images

Bug #2052524 reported by Thomas Ward on 2024-02-06

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	cloud-images	New	Undecided	Unassigned
	subiquity	Fix Released	High	Chris Peterson

Bug Description

Currently, the Subiquity installer for 22.04 and Server images creates 00-installer-config.yaml in /etc/netplan/ with the permissions 644 and ownership by root:root.

However, Ubuntu 22.04 now has version 0.106.1 backported via -updates pocket. In netplan version 0.106.1, there is a requirement in the system that the permissions for netplan YAMLs need to be more secure, and that the files should not be readable by anyone. To that effect, the only functionally acceptable permissions that DO NOT throw warnings are 600 on the netplan YAML files.

This is a bug in the Subiquity installer used for Server 22.04 and others. This should likely be patched in Subiquity so that during the process of installation, Netplan required permissions are respected **on install** rather than allowing warnings to trigger after the fact and create extra noise.

---

This is flagged as a Security issue because it is in effect CWE-266 (CWE-266: Incorrect Privilege Assignment) and should be considered a security flaw, even if it's low-grade.

See original description

Tags:

Thomas Ward (teward) on 2024-02-06

information type:

Private Security → Public Security

Dan Bungert (dbungert) on 2024-02-06

tags:	added: foundations-todo
Changed in subiquity:
status:	New → Triaged
importance:	Undecided → High

Thomas Ward (teward) on 2024-02-06

description:	updated
description:	updated

Revision history for this message

Thomas Ward (teward) wrote on 2024-02-12:

Additional notes:

This has been confirmed as of yesterday to affect the Cloud images which, when deployed via LXD, include a 50-cloud-init.yaml for DHCP with the same permissions flaws. This may need to be handled in cloud image generation with an additional chmod call (and may be a cloud-init issue if LXD populates that way)

Chris Peterson (cpete) on 2024-02-12

Changed in subiquity:
assignee:	nobody → Chris Peterson (cpete)

Thomas Ward (teward) on 2024-02-12

summary:

- INSECURE permissions for Ubuntu Netplan YAML on installer execution
+ INSECURE permissions for Ubuntu Netplan YAML on installer execution,
+ cloud images

Revision history for this message

Dan Bungert (dbungert) wrote on 2024-02-14:

Stable branch merge PR: https://github.com/canonical/subiquity/pull/1912

Changed in subiquity:
status:	Triaged → Fix Committed

Revision history for this message

Dan Bungert (dbungert) wrote on 2024-02-22:

For the Subiquity case, note that the existing behavior was to keep wifi data in a separate file that was consistent with the root-visible-only permissions that Netplan was asking for, so the case discussed here would apply to non-wifi secrets only and is otherwise just a warning. Was still worth fixing though, thank you for the report.

Revision history for this message

Dan Bungert (dbungert) wrote on 2024-02-22:

A fix for this issue has been released in Subiquity 24.02.1 for Ubuntu live-server. You can find this build now on the stable channel.

To pick up this fix, please allow the installer snap to update, or you can use the directive `refresh-installer: { update: yes }` in autoinstall to achieve the same result.

Changed in subiquity:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.