group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1644064] Re: sshd_config file permission changed to 644 if ssh_pwauth value is true or false

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1644064@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 May 2017 03:14:07 -0000
Reply-to: Bug 1644064 <1644064@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package cloud-init -
0.7.9-113-g513e99e0-0ubuntu1~17.04.1

---------------
cloud-init (0.7.9-113-g513e99e0-0ubuntu1~17.04.1) zesty; urgency=medium

  * debian/update-grub-legacy-ec2: fix early exit failure no /etc/fstab
    file. (LP: #1682160)
  * New upstream snapshot.
    - nova-lxd: read product_name from environment, not platform.
      (LP: #1685810)
    - Fix yum repo config where keys contain array values [Dylan Perry]
    - template: Update debian backports template [Joshua Powers]
    - rsyslog: replace ~ with stop [Joshua Powers] (LP: #1367899)
    - Doc: add additional RTD examples [Joshua Powers]
    - Fix growpart for some cases when booted with root=PARTUUID.
      (LP: #1684869)
    - pylint: update output style to parseable [Joshua Powers]
    - pylint: fix all logging warnings [Joshua Powers]
    - CloudStack: Add NetworkManager to list of supported DHCP lease dirs.
      [Syed Mushtaq Ahmed]
    - net: kernel lies about vlans not stealing mac addresses, when they do
      [Dimitri John Ledkov] (LP: #1682871)
    - ds-identify: Check correct path for "latest" config drive
      [Daniel Watkins] (LP: #1673637)
    - doc: Fix example for resolv.conf configuration.  [Jon Grimm]
    - Fix examples that reference upstream chef repository.  [Jon Grimm]
    - doc: correct grammar and improve clarity in merging documentation.
      [David Tagatac]
    - doc: Add missing doc link to snap-config module. [Ryan Harper]
    - snap: allows for creating cloud-init snap [Joshua Powers]
    - DigitalOcean: assign IPv4ll address to lowest indexed interface.
      [Ben Howard] (LP: #1676908)
    - DigitalOcean: configure all NICs presented in meta-data.
      [Ben Howard] (LP: #1676908)
    - Remove (and/or fix) URL shortener references [Jon Grimm]
    - HACKING.rst: more info on filling out contributors agreement.
    - util: teach write_file about copy_mode option
      [Lars Kellogg-Stedman] (LP: #1644064)
    - DigitalOcean: bind resolvers to loopback interface.
      [Ben Howard] (LP: #1676908)
    - tests: fix AltCloud tests to not rely on blkid (LP: #1636531)

 -- Scott Moser <smoser@xxxxxxxxxx>  Thu, 27 Apr 2017 15:09:31 -0400

** Changed in: cloud-init (Ubuntu Zesty)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1644064

Title:
  sshd_config file permission changed to 644 if ssh_pwauth value is true
  or false

Status in cloud-init:
  Fix Committed
Status in cloud-init package in Ubuntu:
  Fix Released
Status in cloud-init source package in Xenial:
  Fix Released
Status in cloud-init source package in Yakkety:
  Fix Released
Status in cloud-init source package in Zesty:
  Fix Released
Status in cloud-init source package in Artful:
  Fix Released

Bug description:
  === Begin SRU Template ===
  [Impact]
  Existing security permissions on /etc/ssh/sshd_config file are not honored.

  [Test Case]

  wget https://git.launchpad.net/~smoser/cloud-init/+git/sru-info/plain/bin/lxc-proposed-snapshot
  chmod 755 lxc-proposed-snapshot

  # create config.yaml
  cat config.yaml
  #cloud-config
  ssh_pwauth: true

  name=proposed-test
  for release in xenial yakkety zesty; do \
   ref=$release-proposed;
   lxc-proposed-snapshot --proposed --publish $release $ref;
   lxc init $ref $name;
   lxc file pull $name/etc/ssh/sshd_config .;
   chmod 600 sshd_config;
   lxc file push sshd_config $name/etc/ssh/sshd_config;
   lxc config set $name user.user-data - < config.yml;
   lxc start;
   sleep 10;
   lxc exec $name ls -ltr /etc/ssh/sshd_config;  # should remain 600
   lxc stop $name;
   lxc delete $name;
  done

  [Regression Potential]
  Minimal as we are now honoring file permissions if an sshd_config file exists.

  [Other Info]

  === End SRU Template ===

  In my deploy image, the default permission of sshd_config file is 600.
  It always be changed to 644 after cloud-init run. After debug, it is
  caused by cloud-config item:

  ssh_pwauth: true

  The related code is:

          lines = [str(l) for l in new_lines]
          util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines))
  of file cc_set_passwords.py.

  write_file function use default mask 644 to write sshd_config. So my
  file permission changed.

  It shall be enhanced to read old sshd_config permission and write new
  sshd_config with old permission to avoid security issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1644064/+subscriptions