shadow file permissions broken

Bug #1188820 reported by Scott Moser on 2013-06-07
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
walinuxagent (Ubuntu)
High
Ben Howard
Precise
Medium
Ben Howard
Raring
Medium
Ben Howard

Bug Description

[Impact]: WALinuxAgent, when provisioning, may delete the root password. However, in doing so, it changes the permissions of the shadow file from 0400 to 000.

[Regression]: This change simple sets the proper permission on /etc/shadow.

[Test Case]: Make sure that the permissions are 0400.

[Originial Report]:

inside an azure instance:

$ ls -altr /etc/shadow
---------- 1 root root 902 Jun 7 20:23 /etc/shadow

/usr/sbin/waagent has:
def DeleteRootPassword():
    filepath="/etc/shadow"
    ReplaceFileContentsAtomic(filepath, "root:*LOCK*:14600::::::\n" + "\n".join(filter(lambda a: not
        a.startswith("root:"),
        GetFileContents(filepath).split('\n'))))
    os.chmod(filepath, 0000)
    if IsRedHat():
        Run("chcon system_u:object_r:shadow_t:s0 " + filepath)
    Log("Root password deleted.")

more correct permissions on that file would be:
$ ls -altr /etc/shadow
-rw-r----- 1 root shadow 1497 May 29 16:51 /etc/shadow

ProblemType: Bug
DistroRelease: Ubuntu 13.04
Package: walinuxagent 1.3.2-0ubuntu1 [modified: usr/sbin/waagent]
ProcVersionSignature: Ubuntu 3.8.0-23.34-generic 3.8.11
Uname: Linux 3.8.0-23-generic x86_64
ApportVersion: 2.9.2-0ubuntu8
Architecture: amd64
Date: Fri Jun 7 20:32:03 2013
MarkForUpload: True
ProcEnviron:
 TERM=screen
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: walinuxagent
UpgradeStatus: No upgrade log present (probably fresh install)

Scott Moser (smoser) wrote :
Changed in walinuxagent (Ubuntu):
importance: Undecided → High
Ben Howard (darkmuggle) wrote :

This will be fixed in the 12.04 SRU for the cloud-init/udev rule fix. Since user-provisioning will not be done by WALinuxAgent, this gets mooted.

Changed in walinuxagent (Ubuntu):
assignee: nobody → Ben Howard (utlemming)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package walinuxagent - 1.3.2-0ubuntu4

---------------
walinuxagent (1.3.2-0ubuntu4) saucy; urgency=low

  * debian/patches/shadow_permissions.patch: apply the appropriate
    permissions to /etc/shadow (LP: #1188820).
  * debian/patches/verbose_logging.patch: use the appropriate log
    faculty when using verbose logging (LP: #1193404).
  * Mark bugs fixed in 1.3.2-0ubuntu3:
    debian/patches/config_for_cloud-init.patch:
    - fix for race condition between cloud-init and waagent (LP: #1195524)
    - mount resource disk on /mnt (LP: #1193380)
    - move walinuxagent init functionality to cloud-init (LP: #1037723)
 -- Ben Howard <email address hidden> Tue, 23 Jul 2013 09:43:40 -0600

Changed in walinuxagent (Ubuntu):
status: New → Fix Released
Ben Howard (darkmuggle) on 2013-08-07
description: updated

Hello Scott, or anyone else affected,

Accepted walinuxagent into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/walinuxagent/1.3.2-0ubuntu4~12.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Adam Conrad (adconrad) wrote :

Hello Scott, or anyone else affected,

Accepted walinuxagent into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/walinuxagent/1.3.2-0ubuntu4~12.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Adam Conrad (adconrad) wrote :

Hello Scott, or anyone else affected,

Accepted walinuxagent into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/walinuxagent/1.3.2-0ubuntu4~12.04.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Ben Howard (darkmuggle) wrote :

Confirmed with -proposed packages that this is fixed. Marking verification-done.

tags: added: verification-done
Ben Howard (darkmuggle) wrote :

Tested. Marking verification done.

Stéphane Graber (stgraber) wrote :

Hello Scott, or anyone else affected,

Accepted walinuxagent into raring-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/walinuxagent/1.3.2-0ubuntu2~13.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in walinuxagent (Ubuntu Raring):
status: New → Fix Committed
Ben Howard (darkmuggle) on 2013-10-23
Changed in walinuxagent (Ubuntu Precise):
importance: Undecided → Medium
Changed in walinuxagent (Ubuntu Raring):
importance: Undecided → Medium
Changed in walinuxagent (Ubuntu Precise):
assignee: nobody → Ben Howard (utlemming)
Changed in walinuxagent (Ubuntu Raring):
assignee: nobody → Ben Howard (utlemming)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package walinuxagent - 1.3.2-0ubuntu2~13.04.1

---------------
walinuxagent (1.3.2-0ubuntu2~13.04.1) raring-proposed; urgency=low

  * Backport of 1.3.2-0ubuntu5 from 13.10
    * disable ephemeral disk formating by default (LP: #1231490)
    * debian/patches/shadow_permissions.patch: apply the appropriate
      permissions to /etc/shadow (LP: #1188820).
    * debian/patches/verbose_logging.patch: use the appropriate log
      faculty when using verbose logging (LP: #1193404).
    * Mark bugs fixed in 1.3.2-0ubuntu3:
      debian/patches/config_for_cloud-init.patch:
      - fix for race condition between cloud-init and waagent (LP: #1195524)
      - mount resource disk on /mnt (LP: #1193380)
      - move walinuxagent init functionality to cloud-init (LP: #1037723)
  * Add requirement of cloud-init (LP: #1037723).
 -- Ben Howard <email address hidden> Thu, 10 Oct 2013 09:24:46 -0600

Changed in walinuxagent (Ubuntu Raring):
status: Fix Committed → Fix Released
Ben Howard (darkmuggle) on 2013-11-21
Changed in walinuxagent (Ubuntu Precise):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers