← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #63817

[Bug 1644064] Re: sshd_config file permission changed to 644 if ssh_pwauth value is true or false

  Thread PreviousDate PreviousThread Next 
** Also affects: cloud-init (Ubuntu Zesty)
   Importance: Undecided
       Status: New

** Also affects: cloud-init (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

** Also affects: cloud-init (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: cloud-init (Ubuntu Xenial)
       Status: New => Confirmed

** Changed in: cloud-init (Ubuntu Yakkety)
       Status: New => Confirmed

** Changed in: cloud-init (Ubuntu Zesty)
       Status: New => Confirmed

** Changed in: cloud-init (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: cloud-init (Ubuntu Yakkety)
   Importance: Undecided => Medium

** Changed in: cloud-init (Ubuntu Zesty)
   Importance: Undecided => Medium

** Changed in: cloud-init (Ubuntu Artful)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1644064

Title:
  sshd_config file permission changed to 644 if ssh_pwauth value is true
  or false

Status in cloud-init:
  Fix Committed
Status in cloud-init package in Ubuntu:
  Fix Released
Status in cloud-init source package in Xenial:
  Confirmed
Status in cloud-init source package in Yakkety:
  Confirmed
Status in cloud-init source package in Zesty:
  Confirmed
Status in cloud-init source package in Artful:
  Fix Released

Bug description:
  === Begin SRU Template ===
  [Impact]
  Existing security permissions on /etc/ssh/sshd_config file are not honored.

  [Test Case]

  wget https://git.launchpad.net/~smoser/cloud-init/+git/sru-info/plain/bin/lxc-proposed-snapshot
  chmod 755 lxc-proposed-snapshot

  
  # create config.yaml
  cat config.yaml
  #cloud-config
  ssh_pwauth: true

  name=proposed-test
  for release in xenial yakkety zesty; do \
   ref=$release-proposed;
   lxc-proposed-snapshot --proposed --publish $release $ref;
   lxc init $ref $name;
   lxc start $name;
   sleep 10;
   lxc file pull $name/etc/ssh/sshd_config .;
   chmod 600 sshd_config;
   lxc file push sshd_config $name/etc/ssh/sshd_config;
   lxc config set $name user.user-data - < config.yml;
   lxc start;
   sleep 10;
   lxc exec $name ls -ltr /etc/ssh/sshd_config;  # should remain 600
   lxc stop $name;
   lxc delete $name;
  done

  [Regression Potential]
  Minimal as we are now honoring file permissions if an sshd_config file exists.

  [Other Info]

  === End SRU Template ===

  
  In my deploy image, the default permission of sshd_config file is 600. It always be changed to 644 after cloud-init run. After debug, it is caused by cloud-config item:

  ssh_pwauth: true

  The related code is:

          lines = [str(l) for l in new_lines]
          util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines))
  of file cc_set_passwords.py.

  write_file function use default mask 644 to write sshd_config. So my
  file permission changed.

  It shall be enhanced to read old sshd_config permission and write new
  sshd_config with old permission to avoid security issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1644064/+subscriptions

References

  Thread PreviousDate PreviousThread Next