kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #50131
[Bug 1293549] Re: Filesystem mount from lxc template causes filesystem permission breakages
Thanks, that is a great reproducer.
Note that doing
rm -rf /etc/ssl/private
mkdir /etc/ssl/private
works around this, and explains why this *may* in fact be on purpose. If you only do
sudo chown ubuntu:ubuntu /etc/ssl/private
then the underlying directory is still owned by root and not readable by
ubuntu. So this could be seen as allowing for an information leak,
although it seems like a stretch to me since root has to do the chown in
the first place.
It wasn't immediately obvious to me where in the code
(linux/ubuntu/aufs/) this is happening.
** Also affects: linux (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1293549
Title:
Filesystem mount from lxc template causes filesystem permission
breakages
Status in juju-core:
Triaged
Status in lxc containers:
New
Status in “linux” package in Ubuntu:
Incomplete
Status in “postgresql” package in Juju Charms Collection:
New
Bug description:
In juju-core 1.17.5, creating new lxc machines is now much faster as
it appears to be using a template machine. In addition, the root
filesystem is mounted from the template machine.
Unfortunately, this causes filesystem permissions to screw up.
juju deploy ubuntu
juju ssh ubuntu/0
sudo chown ubuntu:ubuntu /etc/ssl/private
ls /etc/ssl/private
That final 'ls' fails with a permission denied. This is possibly a
security precaution in lxc or the filesystem.
This issue breaks the postgresql charm. The PostgreSQL packages
require and use the ssl-cert package, which changes /etc/ssl/private
to be group readable by the ssl-cert group. The postgres user, a
member of the ssl-cert group, is unable to read the private key stored
in this directory.
To manage notifications about this bug go to:
https://bugs.launchpad.net/juju-core/+bug/1293549/+subscriptions