2024-02-06 15:10:53 |
Thomas Ward |
bug |
|
|
added bug |
2024-02-06 15:10:57 |
Thomas Ward |
information type |
Private Security |
Public Security |
|
2024-02-06 15:11:22 |
Simon Déziel |
bug |
|
|
added subscriber Simon Déziel |
2024-02-06 15:13:47 |
Dan Bungert |
bug |
|
|
added subscriber Ubuntu Foundations Bugs |
2024-02-06 15:13:52 |
Dan Bungert |
tags |
|
foundations-todo |
|
2024-02-06 15:14:01 |
Dan Bungert |
subiquity: status |
New |
Triaged |
|
2024-02-06 15:14:11 |
Dan Bungert |
subiquity: importance |
Undecided |
High |
|
2024-02-06 16:18:41 |
Thomas Ward |
description |
Currently, the Subiquity installer for 22.04 and Server images creates 00-installer-config.yaml in /etc/netplan/ with the permissions 644 and ownership by root:root.
However, Ubuntu 22.04 now has version 0.106.1 backported via -updates pocket. In netplan version 0.106.1, there is a requirement in the system that the permissions for netplan YAMLs are insecure, and that the files should not be readable by anyone. To that effect, the only functionally acceptable permissions that DO NOT throw warnings are 600 on the netplan YAML files.
This is a bug in the Subiquity installer used for Server 22.04 and others. This should likely be patched in Subiquity so that during the process of installation, Netplan required permissions are respected **on install** rather than allowing warnings to trigger after the fact and create extra noise.
---
This is flagged as a Security issue because it is in effect CVE-266 (CWE-266: Incorrect Privilege Assignment) and should be considered a security flaw, even if it's low-grade. |
Currently, the Subiquity installer for 22.04 and Server images creates 00-installer-config.yaml in /etc/netplan/ with the permissions 644 and ownership by root:root.
However, Ubuntu 22.04 now has version 0.106.1 backported via -updates pocket. In netplan version 0.106.1, there is a requirement in the system that the permissions for netplan YAMLs are insecure, and that the files should not be readable by anyone. To that effect, the only functionally acceptable permissions that DO NOT throw warnings are 600 on the netplan YAML files.
This is a bug in the Subiquity installer used for Server 22.04 and others. This should likely be patched in Subiquity so that during the process of installation, Netplan required permissions are respected **on install** rather than allowing warnings to trigger after the fact and create extra noise.
---
This is flagged as a Security issue because it is in effect CWE-266 (CWE-266: Incorrect Privilege Assignment) and should be considered a security flaw, even if it's low-grade. |
|
2024-02-06 16:19:23 |
Thomas Ward |
description |
Currently, the Subiquity installer for 22.04 and Server images creates 00-installer-config.yaml in /etc/netplan/ with the permissions 644 and ownership by root:root.
However, Ubuntu 22.04 now has version 0.106.1 backported via -updates pocket. In netplan version 0.106.1, there is a requirement in the system that the permissions for netplan YAMLs are insecure, and that the files should not be readable by anyone. To that effect, the only functionally acceptable permissions that DO NOT throw warnings are 600 on the netplan YAML files.
This is a bug in the Subiquity installer used for Server 22.04 and others. This should likely be patched in Subiquity so that during the process of installation, Netplan required permissions are respected **on install** rather than allowing warnings to trigger after the fact and create extra noise.
---
This is flagged as a Security issue because it is in effect CWE-266 (CWE-266: Incorrect Privilege Assignment) and should be considered a security flaw, even if it's low-grade. |
Currently, the Subiquity installer for 22.04 and Server images creates 00-installer-config.yaml in /etc/netplan/ with the permissions 644 and ownership by root:root.
However, Ubuntu 22.04 now has version 0.106.1 backported via -updates pocket. In netplan version 0.106.1, there is a requirement in the system that the permissions for netplan YAMLs need to be more secure, and that the files should not be readable by anyone. To that effect, the only functionally acceptable permissions that DO NOT throw warnings are 600 on the netplan YAML files.
This is a bug in the Subiquity installer used for Server 22.04 and others. This should likely be patched in Subiquity so that during the process of installation, Netplan required permissions are respected **on install** rather than allowing warnings to trigger after the fact and create extra noise.
---
This is flagged as a Security issue because it is in effect CWE-266 (CWE-266: Incorrect Privilege Assignment) and should be considered a security flaw, even if it's low-grade. |
|
2024-02-12 18:06:32 |
Robie Basak |
bug task added |
|
cloud-images |
|
2024-02-12 18:25:19 |
Chris Peterson |
subiquity: assignee |
|
Chris Peterson (cpete) |
|
2024-02-12 18:30:16 |
Thomas Ward |
summary |
INSECURE permissions for Ubuntu Netplan YAML on installer execution |
INSECURE permissions for Ubuntu Netplan YAML on installer execution, cloud images |
|
2024-02-14 17:22:20 |
Dan Bungert |
subiquity: status |
Triaged |
Fix Committed |
|
2024-02-22 22:40:09 |
Dan Bungert |
subiquity: status |
Fix Committed |
Fix Released |
|