yahoo-eng-team team mailing list archive

[GUO Larry <1644064@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

In my deploy image, the default permission of sshd_config file is 600.
It always be changed to 644 after cloud-init run. After debug, it is
caused by cloud-config item:

ssh_pwauth: true

The related code is:

        lines = [str(l) for l in new_lines]
        util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines))
of file cc_set_passwords.py.

write_file function use default mask 644 to write sshd_config. So my
file permission changed.

It shall be enhanced to read old sshd_config permission and write new
sshd_config with old permission to avoid security issue.

** Affects: cloud-init
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1644064

Title:
  sshd_config file permission changed to 644 if ssh_pwauth value is true
  or false

Status in cloud-init:
  New

Bug description:
  In my deploy image, the default permission of sshd_config file is 600.
  It always be changed to 644 after cloud-init run. After debug, it is
  caused by cloud-config item:

  ssh_pwauth: true

  The related code is:

          lines = [str(l) for l in new_lines]
          util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines))
  of file cc_set_passwords.py.

  write_file function use default mask 644 to write sshd_config. So my
  file permission changed.

  It shall be enhanced to read old sshd_config permission and write new
  sshd_config with old permission to avoid security issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1644064/+subscriptions