sshd_config file permission changed to 644 if ssh_pwauth value is true or false

Bug #1644064 reported by GUO Larry
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
cloud-init
Fix Released
Medium
Lars Kellogg-Stedman
cloud-init (Ubuntu)
Fix Released
Medium
Unassigned
Xenial
Fix Released
Medium
Unassigned
Yakkety
Fix Released
Medium
Unassigned
Zesty
Fix Released
Medium
Unassigned
Artful
Fix Released
Medium
Unassigned

Bug Description

=== Begin SRU Template ===
[Impact]
Existing security permissions on /etc/ssh/sshd_config file are not honored.

[Test Case]

wget https://git.launchpad.net/~smoser/cloud-init/+git/sru-info/plain/bin/lxc-proposed-snapshot
chmod 755 lxc-proposed-snapshot

# create config.yaml
cat config.yaml
#cloud-config
ssh_pwauth: true

name=proposed-test
for release in xenial yakkety zesty; do \
 ref=$release-proposed;
 lxc-proposed-snapshot --proposed --publish $release $ref;
 lxc init $ref $name;
 lxc file pull $name/etc/ssh/sshd_config .;
 chmod 600 sshd_config;
 lxc file push sshd_config $name/etc/ssh/sshd_config;
 lxc config set $name user.user-data - < config.yml;
 lxc start;
 sleep 10;
 lxc exec $name ls -ltr /etc/ssh/sshd_config; # should remain 600
 lxc stop $name;
 lxc delete $name;
done

[Regression Potential]
Minimal as we are now honoring file permissions if an sshd_config file exists.

[Other Info]

=== End SRU Template ===

In my deploy image, the default permission of sshd_config file is 600. It always be changed to 644 after cloud-init run. After debug, it is caused by cloud-config item:

ssh_pwauth: true

The related code is:

        lines = [str(l) for l in new_lines]
        util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines))
of file cc_set_passwords.py.

write_file function use default mask 644 to write sshd_config. So my file permission changed.

It shall be enhanced to read old sshd_config permission and write new sshd_config with old permission to avoid security issue.

Related branches

Revision history for this message
Scott Moser (smoser) wrote :

Fixed in 721348a622a660b65acfdf7fdf53203b47f80748

Changed in cloud-init:
assignee: nobody → Lars Kellogg-Stedman (larsks)
importance: Undecided → Medium
status: New → Fix Committed
Changed in cloud-init (Ubuntu Artful):
status: New → Fix Released
Chad Smith (chad.smith)
description: updated
Scott Moser (smoser)
Changed in cloud-init (Ubuntu Xenial):
status: New → Confirmed
Changed in cloud-init (Ubuntu Yakkety):
status: New → Confirmed
Changed in cloud-init (Ubuntu Zesty):
status: New → Confirmed
Changed in cloud-init (Ubuntu Xenial):
importance: Undecided → Medium
Changed in cloud-init (Ubuntu Yakkety):
importance: Undecided → Medium
Changed in cloud-init (Ubuntu Zesty):
importance: Undecided → Medium
Changed in cloud-init (Ubuntu Artful):
importance: Undecided → Medium
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello GUO, or anyone else affected,

Accepted cloud-init into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cloud-init/0.7.9-113-g513e99e0-0ubuntu1~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in cloud-init (Ubuntu Xenial):
status: Confirmed → Fix Committed
tags: added: verification-needed
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello GUO, or anyone else affected,

Accepted cloud-init into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cloud-init/0.7.9-113-g513e99e0-0ubuntu1~16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in cloud-init (Ubuntu Yakkety):
status: Confirmed → Fix Committed
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello GUO, or anyone else affected,

Accepted cloud-init into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cloud-init/0.7.9-113-g513e99e0-0ubuntu1~17.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in cloud-init (Ubuntu Zesty):
status: Confirmed → Fix Committed
Revision history for this message
Chad Smith (chad.smith) wrote :

Verified xenial keeps sshd_config perms:

$ name=test-proposed
$ release=xenial
$ ref=$release-proposed
$ ./lxc-proposed-snapshot --proposed --publish $release $ref
$ lxc init $ref $name
$ lxc init $ref $name
Creating test-proposed
$ lxc file pull $name/etc/ssh/sshd_config .
$ ls -ltr sshd_config
-rw-r--r-- 1 csmith csmith 2540 May 11 14:54 sshd_config
$ chmod 600 sshd_config
$ ls -ltr sshd_config
-rw------- 1 csmith csmith 2540 May 11 14:54 sshd_config
$ lxc file push sshd_config $name/etc/ssh/sshd_config;
$ cat config.yml
#cloud-config
ssh_pwauth: true
$ lxc config set $name user.user-data - < config.yml;
$ lxc start $name
$ sleep 10
$ lxc exec $name -- ls -ltr /etc/ssh/sshd_config
-rw------- 1 ubuntu ubuntu 2540 May 11 20:55 /etc/ssh/sshd_config
$ lxc exec $name -- dpkg -l cloud-init
...
ii cloud-init 0.7.9-113-g5 all Init scripts for cloud instances

description: updated
tags: added: verification-done-xenial
Revision history for this message
Chad Smith (chad.smith) wrote :

Validated yakkety and zesty---

cat config.yml
#cloud-config
ssh_pwauth: true
for release in yakkety zesty; do ref=$release-proposed; lxc init $ref $name; lxc file pull $name/etc/ssh/sshd_config .; ls -l sshd_config; chmod 600 sshd_config; lxc file push sshd_config $name/etc/ssh/sshd_config; lxc config set $name user.user-data - < config.yml; lxc start $name; sleep 10; lxc exec $name -- ls -ltr /etc/ssh/sshd_config; lxc exec $name -- dpkg -l cloud-init; lxc exec $name -- grep VERSION= /etc/os-release; lxc stop $name; lxc delete $name; done;
Creating proposed-test
-rw-r--r-- 1 csmith csmith 2506 May 12 13:34 sshd_config
-rw------- 1 ubuntu ubuntu 2506 May 12 19:34 /etc/ssh/sshd_config
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-=================================
ii cloud-init 0.7.9-113-g5 all Init scripts for cloud instances
VERSION="16.10 (Yakkety Yak)"
Creating proposed-test
-rw-r--r-- 1 csmith csmith 3296 May 12 13:35 sshd_config
-rw------- 1 ubuntu ubuntu 3296 May 12 19:35 /etc/ssh/sshd_config
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-=================================
ii cloud-init 0.7.9-113-g5 all Init scripts for cloud instances
VERSION="17.04 (Zesty Zapus)"

tags: added: verification-done-yakkety verification-done-zesty
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cloud-init - 0.7.9-113-g513e99e0-0ubuntu1~16.04.1

---------------
cloud-init (0.7.9-113-g513e99e0-0ubuntu1~16.04.1) xenial-proposed; urgency=medium

  * debian/update-grub-legacy-ec2: fix early exit failure no /etc/fstab
    file. (LP: #1682160)
  * New upstream snapshot.
    - nova-lxd: read product_name from environment, not platform.
      (LP: #1685810)
    - Fix yum repo config where keys contain array values [Dylan Perry]
    - template: Update debian backports template [Joshua Powers]
    - rsyslog: replace ~ with stop [Joshua Powers] (LP: #1367899)
    - Doc: add additional RTD examples [Joshua Powers]
    - Fix growpart for some cases when booted with root=PARTUUID.
      (LP: #1684869)
    - pylint: update output style to parseable [Joshua Powers]
    - pylint: fix all logging warnings [Joshua Powers]
    - CloudStack: Add NetworkManager to list of supported DHCP lease dirs.
      [Syed Mushtaq Ahmed]
    - net: kernel lies about vlans not stealing mac addresses, when they do
      [Dimitri John Ledkov] (LP: #1682871)
    - ds-identify: Check correct path for "latest" config drive
      [Daniel Watkins] (LP: #1673637)
    - doc: Fix example for resolv.conf configuration. [Jon Grimm]
    - Fix examples that reference upstream chef repository. [Jon Grimm]
    - doc: correct grammar and improve clarity in merging documentation.
      [David Tagatac]
    - doc: Add missing doc link to snap-config module. [Ryan Harper]
    - snap: allows for creating cloud-init snap [Joshua Powers]
    - DigitalOcean: assign IPv4ll address to lowest indexed interface.
      [Ben Howard] (LP: #1676908)
    - DigitalOcean: configure all NICs presented in meta-data.
      [Ben Howard] (LP: #1676908)
    - Remove (and/or fix) URL shortener references [Jon Grimm]
    - HACKING.rst: more info on filling out contributors agreement.
    - util: teach write_file about copy_mode option
      [Lars Kellogg-Stedman] (LP: #1644064)
    - DigitalOcean: bind resolvers to loopback interface.
      [Ben Howard] (LP: #1676908)
    - tests: fix AltCloud tests to not rely on blkid (LP: #1636531)

 -- Scott Moser <email address hidden> Thu, 27 Apr 2017 12:51:04 -0400

Changed in cloud-init (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Chris Halse Rogers (raof) wrote : Update Released

The verification of the Stable Release Update for cloud-init has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cloud-init - 0.7.9-113-g513e99e0-0ubuntu1~16.10.1

---------------
cloud-init (0.7.9-113-g513e99e0-0ubuntu1~16.10.1) yakkety; urgency=medium

  * debian/update-grub-legacy-ec2: fix early exit failure no /etc/fstab
    file. (LP: #1682160)
  * New upstream snapshot.
    - nova-lxd: read product_name from environment, not platform.
      (LP: #1685810)
    - Fix yum repo config where keys contain array values [Dylan Perry]
    - template: Update debian backports template [Joshua Powers]
    - rsyslog: replace ~ with stop [Joshua Powers] (LP: #1367899)
    - Doc: add additional RTD examples [Joshua Powers]
    - Fix growpart for some cases when booted with root=PARTUUID.
      (LP: #1684869)
    - pylint: update output style to parseable [Joshua Powers]
    - pylint: fix all logging warnings [Joshua Powers]
    - CloudStack: Add NetworkManager to list of supported DHCP lease dirs.
      [Syed Mushtaq Ahmed]
    - net: kernel lies about vlans not stealing mac addresses, when they do
      [Dimitri John Ledkov] (LP: #1682871)
    - ds-identify: Check correct path for "latest" config drive
      [Daniel Watkins] (LP: #1673637)
    - doc: Fix example for resolv.conf configuration. [Jon Grimm]
    - Fix examples that reference upstream chef repository. [Jon Grimm]
    - doc: correct grammar and improve clarity in merging documentation.
      [David Tagatac]
    - doc: Add missing doc link to snap-config module. [Ryan Harper]
    - snap: allows for creating cloud-init snap [Joshua Powers]
    - DigitalOcean: assign IPv4ll address to lowest indexed interface.
      [Ben Howard] (LP: #1676908)
    - DigitalOcean: configure all NICs presented in meta-data.
      [Ben Howard] (LP: #1676908)
    - Remove (and/or fix) URL shortener references [Jon Grimm]
    - HACKING.rst: more info on filling out contributors agreement.
    - util: teach write_file about copy_mode option
      [Lars Kellogg-Stedman] (LP: #1644064)
    - DigitalOcean: bind resolvers to loopback interface.
      [Ben Howard] (LP: #1676908)
    - tests: fix AltCloud tests to not rely on blkid (LP: #1636531)

 -- Scott Moser <email address hidden> Thu, 27 Apr 2017 13:38:40 -0400

Changed in cloud-init (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cloud-init - 0.7.9-113-g513e99e0-0ubuntu1~17.04.1

---------------
cloud-init (0.7.9-113-g513e99e0-0ubuntu1~17.04.1) zesty; urgency=medium

  * debian/update-grub-legacy-ec2: fix early exit failure no /etc/fstab
    file. (LP: #1682160)
  * New upstream snapshot.
    - nova-lxd: read product_name from environment, not platform.
      (LP: #1685810)
    - Fix yum repo config where keys contain array values [Dylan Perry]
    - template: Update debian backports template [Joshua Powers]
    - rsyslog: replace ~ with stop [Joshua Powers] (LP: #1367899)
    - Doc: add additional RTD examples [Joshua Powers]
    - Fix growpart for some cases when booted with root=PARTUUID.
      (LP: #1684869)
    - pylint: update output style to parseable [Joshua Powers]
    - pylint: fix all logging warnings [Joshua Powers]
    - CloudStack: Add NetworkManager to list of supported DHCP lease dirs.
      [Syed Mushtaq Ahmed]
    - net: kernel lies about vlans not stealing mac addresses, when they do
      [Dimitri John Ledkov] (LP: #1682871)
    - ds-identify: Check correct path for "latest" config drive
      [Daniel Watkins] (LP: #1673637)
    - doc: Fix example for resolv.conf configuration. [Jon Grimm]
    - Fix examples that reference upstream chef repository. [Jon Grimm]
    - doc: correct grammar and improve clarity in merging documentation.
      [David Tagatac]
    - doc: Add missing doc link to snap-config module. [Ryan Harper]
    - snap: allows for creating cloud-init snap [Joshua Powers]
    - DigitalOcean: assign IPv4ll address to lowest indexed interface.
      [Ben Howard] (LP: #1676908)
    - DigitalOcean: configure all NICs presented in meta-data.
      [Ben Howard] (LP: #1676908)
    - Remove (and/or fix) URL shortener references [Jon Grimm]
    - HACKING.rst: more info on filling out contributors agreement.
    - util: teach write_file about copy_mode option
      [Lars Kellogg-Stedman] (LP: #1644064)
    - DigitalOcean: bind resolvers to loopback interface.
      [Ben Howard] (LP: #1676908)
    - tests: fix AltCloud tests to not rely on blkid (LP: #1636531)

 -- Scott Moser <email address hidden> Thu, 27 Apr 2017 15:09:31 -0400

Changed in cloud-init (Ubuntu Zesty):
status: Fix Committed → Fix Released
Revision history for this message
Scott Moser (smoser) wrote : Fixed in Cloud-init 17.1

This bug is believed to be fixed in cloud-init in 17.1. If this is still a problem for you, please make a comment and set the state back to New

Thank you.

Changed in cloud-init:
status: Fix Committed → Fix Released
Revision history for this message
James Falcon (falcojr) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.