forked from rpms/cloud-init
import cloud-init-21.1-12.el9
This commit is contained in:
parent
471cc202a7
commit
4e103214a5
@ -0,0 +1,262 @@
|
||||
From 5bfe2ee2b063d87e6fd255d6c5e63123aa3f6de0 Mon Sep 17 00:00:00 2001
|
||||
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
Date: Sat, 21 Aug 2021 13:55:53 +0200
|
||||
Subject: [PATCH] Fix home permissions modified by ssh module (SC-338) (#984)
|
||||
|
||||
RH-Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
RH-MergeRequest: 9: Fix home permissions modified by ssh module
|
||||
RH-Commit: [1/1] ab55db88aa1bf2f77acaca5e76ffabbab72b1fb2 (eesposit/cloud-init-centos-)
|
||||
RH-Bugzilla: 1995843
|
||||
RH-Acked-by: Mohamed Gamal Morsy <mmorsy@redhat.com>
|
||||
RH-Acked-by: Eduardo Otubo <otubo@redhat.com>
|
||||
|
||||
TESTED: By me and QA
|
||||
BREW: 39178085
|
||||
|
||||
Fix home permissions modified by ssh module (SC-338) (#984)
|
||||
|
||||
commit 7d3f5d750f6111c2716143364ea33486df67c927
|
||||
Author: James Falcon <therealfalcon@gmail.com>
|
||||
Date: Fri Aug 20 17:09:49 2021 -0500
|
||||
|
||||
Fix home permissions modified by ssh module (SC-338) (#984)
|
||||
|
||||
Fix home permissions modified by ssh module
|
||||
|
||||
In #956, we updated the file and directory permissions for keys not in
|
||||
the user's home directory. We also unintentionally modified the
|
||||
permissions within the home directory as well. These should not change,
|
||||
and this commit changes that back.
|
||||
|
||||
LP: #1940233
|
||||
|
||||
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
---
|
||||
cloudinit/ssh_util.py | 35 ++++-
|
||||
.../modules/test_ssh_keysfile.py | 132 +++++++++++++++---
|
||||
2 files changed, 146 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py
|
||||
index b8a3c8f7..9ccadf09 100644
|
||||
--- a/cloudinit/ssh_util.py
|
||||
+++ b/cloudinit/ssh_util.py
|
||||
@@ -321,23 +321,48 @@ def check_create_path(username, filename, strictmodes):
|
||||
home_folder = os.path.dirname(user_pwent.pw_dir)
|
||||
for directory in directories:
|
||||
parent_folder += "/" + directory
|
||||
- if home_folder.startswith(parent_folder):
|
||||
+
|
||||
+ # security check, disallow symlinks in the AuthorizedKeysFile path.
|
||||
+ if os.path.islink(parent_folder):
|
||||
+ LOG.debug(
|
||||
+ "Invalid directory. Symlink exists in path: %s",
|
||||
+ parent_folder)
|
||||
+ return False
|
||||
+
|
||||
+ if os.path.isfile(parent_folder):
|
||||
+ LOG.debug(
|
||||
+ "Invalid directory. File exists in path: %s",
|
||||
+ parent_folder)
|
||||
+ return False
|
||||
+
|
||||
+ if (home_folder.startswith(parent_folder) or
|
||||
+ parent_folder == user_pwent.pw_dir):
|
||||
continue
|
||||
|
||||
- if not os.path.isdir(parent_folder):
|
||||
+ if not os.path.exists(parent_folder):
|
||||
# directory does not exist, and permission so far are good:
|
||||
# create the directory, and make it accessible by everyone
|
||||
# but owned by root, as it might be used by many users.
|
||||
with util.SeLinuxGuard(parent_folder):
|
||||
- os.makedirs(parent_folder, mode=0o755, exist_ok=True)
|
||||
- util.chownbyid(parent_folder, root_pwent.pw_uid,
|
||||
- root_pwent.pw_gid)
|
||||
+ mode = 0o755
|
||||
+ uid = root_pwent.pw_uid
|
||||
+ gid = root_pwent.pw_gid
|
||||
+ if parent_folder.startswith(user_pwent.pw_dir):
|
||||
+ mode = 0o700
|
||||
+ uid = user_pwent.pw_uid
|
||||
+ gid = user_pwent.pw_gid
|
||||
+ os.makedirs(parent_folder, mode=mode, exist_ok=True)
|
||||
+ util.chownbyid(parent_folder, uid, gid)
|
||||
|
||||
permissions = check_permissions(username, parent_folder,
|
||||
filename, False, strictmodes)
|
||||
if not permissions:
|
||||
return False
|
||||
|
||||
+ if os.path.islink(filename) or os.path.isdir(filename):
|
||||
+ LOG.debug("%s is not a file!", filename)
|
||||
+ return False
|
||||
+
|
||||
# check the file
|
||||
if not os.path.exists(filename):
|
||||
# if file does not exist: we need to create it, since the
|
||||
diff --git a/tests/integration_tests/modules/test_ssh_keysfile.py b/tests/integration_tests/modules/test_ssh_keysfile.py
|
||||
index f82d7649..3159feb9 100644
|
||||
--- a/tests/integration_tests/modules/test_ssh_keysfile.py
|
||||
+++ b/tests/integration_tests/modules/test_ssh_keysfile.py
|
||||
@@ -10,10 +10,10 @@ TEST_USER1_KEYS = get_test_rsa_keypair('test1')
|
||||
TEST_USER2_KEYS = get_test_rsa_keypair('test2')
|
||||
TEST_DEFAULT_KEYS = get_test_rsa_keypair('test3')
|
||||
|
||||
-USERDATA = """\
|
||||
+_USERDATA = """\
|
||||
#cloud-config
|
||||
bootcmd:
|
||||
- - sed -i 's;#AuthorizedKeysFile.*;AuthorizedKeysFile /etc/ssh/authorized_keys %h/.ssh/authorized_keys2;' /etc/ssh/sshd_config
|
||||
+ - {bootcmd}
|
||||
ssh_authorized_keys:
|
||||
- {default}
|
||||
users:
|
||||
@@ -24,27 +24,17 @@ users:
|
||||
- name: test_user2
|
||||
ssh_authorized_keys:
|
||||
- {user2}
|
||||
-""".format( # noqa: E501
|
||||
+""".format(
|
||||
+ bootcmd='{bootcmd}',
|
||||
default=TEST_DEFAULT_KEYS.public_key,
|
||||
user1=TEST_USER1_KEYS.public_key,
|
||||
user2=TEST_USER2_KEYS.public_key,
|
||||
)
|
||||
|
||||
|
||||
-@pytest.mark.ubuntu
|
||||
-@pytest.mark.user_data(USERDATA)
|
||||
-def test_authorized_keys(client: IntegrationInstance):
|
||||
- expected_keys = [
|
||||
- ('test_user1', '/home/test_user1/.ssh/authorized_keys2',
|
||||
- TEST_USER1_KEYS),
|
||||
- ('test_user2', '/home/test_user2/.ssh/authorized_keys2',
|
||||
- TEST_USER2_KEYS),
|
||||
- ('ubuntu', '/home/ubuntu/.ssh/authorized_keys2',
|
||||
- TEST_DEFAULT_KEYS),
|
||||
- ('root', '/root/.ssh/authorized_keys2', TEST_DEFAULT_KEYS),
|
||||
- ]
|
||||
-
|
||||
+def common_verify(client, expected_keys):
|
||||
for user, filename, keys in expected_keys:
|
||||
+ # Ensure key is in the key file
|
||||
contents = client.read_from_file(filename)
|
||||
if user in ['ubuntu', 'root']:
|
||||
# Our personal public key gets added by pycloudlib
|
||||
@@ -83,3 +73,113 @@ def test_authorized_keys(client: IntegrationInstance):
|
||||
look_for_keys=False,
|
||||
allow_agent=False,
|
||||
)
|
||||
+
|
||||
+ # Ensure we haven't messed with any /home permissions
|
||||
+ # See LP: #1940233
|
||||
+ home_dir = '/home/{}'.format(user)
|
||||
+ home_perms = '755'
|
||||
+ if user == 'root':
|
||||
+ home_dir = '/root'
|
||||
+ home_perms = '700'
|
||||
+ assert '{} {}'.format(user, home_perms) == client.execute(
|
||||
+ 'stat -c "%U %a" {}'.format(home_dir)
|
||||
+ )
|
||||
+ if client.execute("test -d {}/.ssh".format(home_dir)).ok:
|
||||
+ assert '{} 700'.format(user) == client.execute(
|
||||
+ 'stat -c "%U %a" {}/.ssh'.format(home_dir)
|
||||
+ )
|
||||
+ assert '{} 600'.format(user) == client.execute(
|
||||
+ 'stat -c "%U %a" {}'.format(filename)
|
||||
+ )
|
||||
+
|
||||
+ # Also ensure ssh-keygen works as expected
|
||||
+ client.execute('mkdir {}/.ssh'.format(home_dir))
|
||||
+ assert client.execute(
|
||||
+ "ssh-keygen -b 2048 -t rsa -f {}/.ssh/id_rsa -q -N ''".format(
|
||||
+ home_dir)
|
||||
+ ).ok
|
||||
+ assert client.execute('test -f {}/.ssh/id_rsa'.format(home_dir))
|
||||
+ assert client.execute('test -f {}/.ssh/id_rsa.pub'.format(home_dir))
|
||||
+
|
||||
+ assert 'root 755' == client.execute('stat -c "%U %a" /home')
|
||||
+
|
||||
+
|
||||
+DEFAULT_KEYS_USERDATA = _USERDATA.format(bootcmd='""')
|
||||
+
|
||||
+
|
||||
+@pytest.mark.ubuntu
|
||||
+@pytest.mark.user_data(DEFAULT_KEYS_USERDATA)
|
||||
+def test_authorized_keys_default(client: IntegrationInstance):
|
||||
+ expected_keys = [
|
||||
+ ('test_user1', '/home/test_user1/.ssh/authorized_keys',
|
||||
+ TEST_USER1_KEYS),
|
||||
+ ('test_user2', '/home/test_user2/.ssh/authorized_keys',
|
||||
+ TEST_USER2_KEYS),
|
||||
+ ('ubuntu', '/home/ubuntu/.ssh/authorized_keys',
|
||||
+ TEST_DEFAULT_KEYS),
|
||||
+ ('root', '/root/.ssh/authorized_keys', TEST_DEFAULT_KEYS),
|
||||
+ ]
|
||||
+ common_verify(client, expected_keys)
|
||||
+
|
||||
+
|
||||
+AUTHORIZED_KEYS2_USERDATA = _USERDATA.format(bootcmd=(
|
||||
+ "sed -i 's;#AuthorizedKeysFile.*;AuthorizedKeysFile "
|
||||
+ "/etc/ssh/authorized_keys %h/.ssh/authorized_keys2;' "
|
||||
+ "/etc/ssh/sshd_config"))
|
||||
+
|
||||
+
|
||||
+@pytest.mark.ubuntu
|
||||
+@pytest.mark.user_data(AUTHORIZED_KEYS2_USERDATA)
|
||||
+def test_authorized_keys2(client: IntegrationInstance):
|
||||
+ expected_keys = [
|
||||
+ ('test_user1', '/home/test_user1/.ssh/authorized_keys2',
|
||||
+ TEST_USER1_KEYS),
|
||||
+ ('test_user2', '/home/test_user2/.ssh/authorized_keys2',
|
||||
+ TEST_USER2_KEYS),
|
||||
+ ('ubuntu', '/home/ubuntu/.ssh/authorized_keys2',
|
||||
+ TEST_DEFAULT_KEYS),
|
||||
+ ('root', '/root/.ssh/authorized_keys2', TEST_DEFAULT_KEYS),
|
||||
+ ]
|
||||
+ common_verify(client, expected_keys)
|
||||
+
|
||||
+
|
||||
+NESTED_KEYS_USERDATA = _USERDATA.format(bootcmd=(
|
||||
+ "sed -i 's;#AuthorizedKeysFile.*;AuthorizedKeysFile "
|
||||
+ "/etc/ssh/authorized_keys %h/foo/bar/ssh/keys;' "
|
||||
+ "/etc/ssh/sshd_config"))
|
||||
+
|
||||
+
|
||||
+@pytest.mark.ubuntu
|
||||
+@pytest.mark.user_data(NESTED_KEYS_USERDATA)
|
||||
+def test_nested_keys(client: IntegrationInstance):
|
||||
+ expected_keys = [
|
||||
+ ('test_user1', '/home/test_user1/foo/bar/ssh/keys',
|
||||
+ TEST_USER1_KEYS),
|
||||
+ ('test_user2', '/home/test_user2/foo/bar/ssh/keys',
|
||||
+ TEST_USER2_KEYS),
|
||||
+ ('ubuntu', '/home/ubuntu/foo/bar/ssh/keys',
|
||||
+ TEST_DEFAULT_KEYS),
|
||||
+ ('root', '/root/foo/bar/ssh/keys', TEST_DEFAULT_KEYS),
|
||||
+ ]
|
||||
+ common_verify(client, expected_keys)
|
||||
+
|
||||
+
|
||||
+EXTERNAL_KEYS_USERDATA = _USERDATA.format(bootcmd=(
|
||||
+ "sed -i 's;#AuthorizedKeysFile.*;AuthorizedKeysFile "
|
||||
+ "/etc/ssh/authorized_keys /etc/ssh/authorized_keys/%u/keys;' "
|
||||
+ "/etc/ssh/sshd_config"))
|
||||
+
|
||||
+
|
||||
+@pytest.mark.ubuntu
|
||||
+@pytest.mark.user_data(EXTERNAL_KEYS_USERDATA)
|
||||
+def test_external_keys(client: IntegrationInstance):
|
||||
+ expected_keys = [
|
||||
+ ('test_user1', '/etc/ssh/authorized_keys/test_user1/keys',
|
||||
+ TEST_USER1_KEYS),
|
||||
+ ('test_user2', '/etc/ssh/authorized_keys/test_user2/keys',
|
||||
+ TEST_USER2_KEYS),
|
||||
+ ('ubuntu', '/etc/ssh/authorized_keys/ubuntu/keys',
|
||||
+ TEST_DEFAULT_KEYS),
|
||||
+ ('root', '/etc/ssh/authorized_keys/root/keys', TEST_DEFAULT_KEYS),
|
||||
+ ]
|
||||
+ common_verify(client, expected_keys)
|
||||
--
|
||||
2.27.0
|
||||
|
@ -0,0 +1,104 @@
|
||||
From e6412be62079bbec5d67d178711ea42f21cafab8 Mon Sep 17 00:00:00 2001
|
||||
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
Date: Tue, 12 Oct 2021 16:35:00 +0200
|
||||
Subject: [PATCH 1/2] Inhibit sshd-keygen@.service if cloud-init is active
|
||||
(#1028)
|
||||
|
||||
RH-Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
RH-MergeRequest: 11: Add drop-in to prevent race with sshd-keygen service
|
||||
RH-Commit: [1/2] 77ba3f167e71c43847aa5b38e1833d84568ed5a7 (eesposit/cloud-init-centos-)
|
||||
RH-Bugzilla: 2002492
|
||||
RH-Acked-by: Eduardo Otubo <otubo@redhat.com>
|
||||
RH-Acked-by: Mohamed Gamal Morsy <mmorsy@redhat.com>
|
||||
|
||||
TESTED: by me and QA
|
||||
BREW: 40286693
|
||||
|
||||
commit 02c71f097bca455a0f87d3e0a2af4d04b1cbd727
|
||||
Author: Ryan Harper <ryan.harper@canonical.com>
|
||||
Date: Tue Oct 12 09:31:36 2021 -0500
|
||||
|
||||
Inhibit sshd-keygen@.service if cloud-init is active (#1028)
|
||||
|
||||
In some cloud-init enabled images the sshd-keygen@.service
|
||||
may race with cloud-init and prevent ssh host keys from being
|
||||
generated or generating host keys twice slowing boot and consuming
|
||||
additional entropy during boot. This drop-in unit adds a condition to
|
||||
the sshd-keygen@.service which prevents running if cloud-init is active.
|
||||
|
||||
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
|
||||
Conflicts: minor conflict in setup.py (line 253), where we still use
|
||||
"/usr/lib/" instead of LIB
|
||||
---
|
||||
packages/redhat/cloud-init.spec.in | 1 +
|
||||
packages/suse/cloud-init.spec.in | 1 +
|
||||
setup.py | 5 ++++-
|
||||
systemd/disable-sshd-keygen-if-cloud-init-active.conf | 8 ++++++++
|
||||
4 files changed, 14 insertions(+), 1 deletion(-)
|
||||
create mode 100644 systemd/disable-sshd-keygen-if-cloud-init-active.conf
|
||||
|
||||
diff --git a/packages/redhat/cloud-init.spec.in b/packages/redhat/cloud-init.spec.in
|
||||
index 16138012..1491822b 100644
|
||||
--- a/packages/redhat/cloud-init.spec.in
|
||||
+++ b/packages/redhat/cloud-init.spec.in
|
||||
@@ -175,6 +175,7 @@ fi
|
||||
|
||||
%if "%{init_system}" == "systemd"
|
||||
/usr/lib/systemd/system-generators/cloud-init-generator
|
||||
+%{_sysconfdir}/systemd/system/sshd-keygen@.service.d/disable-sshd-keygen-if-cloud-init-active.conf
|
||||
%{_unitdir}/cloud-*
|
||||
%else
|
||||
%attr(0755, root, root) %{_initddir}/cloud-config
|
||||
diff --git a/packages/suse/cloud-init.spec.in b/packages/suse/cloud-init.spec.in
|
||||
index 004b875f..da8107b4 100644
|
||||
--- a/packages/suse/cloud-init.spec.in
|
||||
+++ b/packages/suse/cloud-init.spec.in
|
||||
@@ -126,6 +126,7 @@ version_pys=$(cd "%{buildroot}" && find . -name version.py -type f)
|
||||
|
||||
%{_sysconfdir}/dhcp/dhclient-exit-hooks.d/hook-dhclient
|
||||
%{_sysconfdir}/NetworkManager/dispatcher.d/hook-network-manager
|
||||
+%{_sysconfdir}/systemd/system/sshd-keygen@.service.d/disable-sshd-keygen-if-cloud-init-active.conf
|
||||
|
||||
# Python code is here...
|
||||
%{python_sitelib}/*
|
||||
diff --git a/setup.py b/setup.py
|
||||
index d5cd01a4..ec03fa27 100755
|
||||
--- a/setup.py
|
||||
+++ b/setup.py
|
||||
@@ -38,6 +38,7 @@ def is_generator(p):
|
||||
def pkg_config_read(library, var):
|
||||
fallbacks = {
|
||||
'systemd': {
|
||||
+ 'systemdsystemconfdir': '/etc/systemd/system',
|
||||
'systemdsystemunitdir': '/lib/systemd/system',
|
||||
'systemdsystemgeneratordir': '/lib/systemd/system-generators',
|
||||
}
|
||||
@@ -249,7 +250,9 @@ if not platform.system().endswith('BSD'):
|
||||
data_files.extend([
|
||||
(ETC + '/NetworkManager/dispatcher.d/',
|
||||
['tools/hook-network-manager']),
|
||||
- ('/usr/lib/udev/rules.d', [f for f in glob('udev/*.rules')])
|
||||
+ ('/usr/lib/udev/rules.d', [f for f in glob('udev/*.rules')]),
|
||||
+ (ETC + '/systemd/system/sshd-keygen@.service.d/',
|
||||
+ ['systemd/disable-sshd-keygen-if-cloud-init-active.conf']),
|
||||
])
|
||||
# Use a subclass for install that handles
|
||||
# adding on the right init system configuration files
|
||||
diff --git a/systemd/disable-sshd-keygen-if-cloud-init-active.conf b/systemd/disable-sshd-keygen-if-cloud-init-active.conf
|
||||
new file mode 100644
|
||||
index 00000000..71e35876
|
||||
--- /dev/null
|
||||
+++ b/systemd/disable-sshd-keygen-if-cloud-init-active.conf
|
||||
@@ -0,0 +1,8 @@
|
||||
+# In some cloud-init enabled images the sshd-keygen template service may race
|
||||
+# with cloud-init during boot causing issues with host key generation. This
|
||||
+# drop-in config adds a condition to sshd-keygen@.service if it exists and
|
||||
+# prevents the sshd-keygen units from running *if* cloud-init is going to run.
|
||||
+#
|
||||
+[Unit]
|
||||
+ConditionPathExists=!/run/systemd/generator.early/multi-user.target.wants/cloud-init.target
|
||||
+EOF
|
||||
--
|
||||
2.27.0
|
||||
|
@ -0,0 +1,97 @@
|
||||
From 2a6b3b5afb20a7856ad81b3ec3da621571c3bec3 Mon Sep 17 00:00:00 2001
|
||||
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
Date: Wed, 20 Oct 2021 10:41:36 +0200
|
||||
Subject: [PATCH] cc_ssh.py: fix private key group owner and permissions
|
||||
(#1070)
|
||||
|
||||
RH-Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
RH-MergeRequest: 12: cc_ssh.py: fix private key group owner and permissions (#1070)
|
||||
RH-Commit: [1/1] b2dc9cfd18ac0a8e1e22a37b1585d22dbde11536 (eesposit/cloud-init-centos-)
|
||||
RH-Bugzilla: 2015974
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
RH-Acked-by: Mohamed Gamal Morsy <mmorsy@redhat.com>
|
||||
|
||||
commit ee296ced9c0a61b1484d850b807c601bcd670ec1
|
||||
Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
Date: Tue Oct 19 21:32:10 2021 +0200
|
||||
|
||||
cc_ssh.py: fix private key group owner and permissions (#1070)
|
||||
|
||||
When default host keys are created by sshd-keygen (/etc/ssh/ssh_host_*_key)
|
||||
in RHEL/CentOS/Fedora, openssh it performs the following:
|
||||
|
||||
// create new keys
|
||||
if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
// sanitize permissions
|
||||
/usr/bin/chgrp ssh_keys $KEY
|
||||
/usr/bin/chmod 640 $KEY
|
||||
/usr/bin/chmod 644 $KEY.pub
|
||||
Note that the group ssh_keys exists only in RHEL/CentOS/Fedora.
|
||||
|
||||
Now that we disable sshd-keygen to allow only cloud-init to create
|
||||
them, we miss the "sanitize permissions" part, where we set the group
|
||||
owner as ssh_keys and the private key mode to 640.
|
||||
|
||||
According to https://bugzilla.redhat.com/show_bug.cgi?id=2013644#c8, failing
|
||||
to set group ownership and permissions like openssh does makes the RHEL openscap
|
||||
tool generate an error.
|
||||
|
||||
Signed-off-by: Emanuele Giuseppe Esposito eesposit@redhat.com
|
||||
|
||||
RHBZ: 2013644
|
||||
|
||||
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
---
|
||||
cloudinit/config/cc_ssh.py | 7 +++++++
|
||||
cloudinit/util.py | 14 ++++++++++++++
|
||||
2 files changed, 21 insertions(+)
|
||||
|
||||
diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py
|
||||
index 05a16dbc..4e986c55 100755
|
||||
--- a/cloudinit/config/cc_ssh.py
|
||||
+++ b/cloudinit/config/cc_ssh.py
|
||||
@@ -240,6 +240,13 @@ def handle(_name, cfg, cloud, log, _args):
|
||||
try:
|
||||
out, err = subp.subp(cmd, capture=True, env=lang_c)
|
||||
sys.stdout.write(util.decode_binary(out))
|
||||
+
|
||||
+ gid = util.get_group_id("ssh_keys")
|
||||
+ if gid != -1:
|
||||
+ # perform same "sanitize permissions" as sshd-keygen
|
||||
+ os.chown(keyfile, -1, gid)
|
||||
+ os.chmod(keyfile, 0o640)
|
||||
+ os.chmod(keyfile + ".pub", 0o644)
|
||||
except subp.ProcessExecutionError as e:
|
||||
err = util.decode_binary(e.stderr).lower()
|
||||
if (e.exit_code == 1 and
|
||||
diff --git a/cloudinit/util.py b/cloudinit/util.py
|
||||
index 343976ad..fe37ae89 100644
|
||||
--- a/cloudinit/util.py
|
||||
+++ b/cloudinit/util.py
|
||||
@@ -1831,6 +1831,20 @@ def chmod(path, mode):
|
||||
os.chmod(path, real_mode)
|
||||
|
||||
|
||||
+def get_group_id(grp_name: str) -> int:
|
||||
+ """
|
||||
+ Returns the group id of a group name, or -1 if no group exists
|
||||
+
|
||||
+ @param grp_name: the name of the group
|
||||
+ """
|
||||
+ gid = -1
|
||||
+ try:
|
||||
+ gid = grp.getgrnam(grp_name).gr_gid
|
||||
+ except KeyError:
|
||||
+ LOG.debug("Group %s is not a valid group name", grp_name)
|
||||
+ return gid
|
||||
+
|
||||
+
|
||||
def get_permissions(path: str) -> int:
|
||||
"""
|
||||
Returns the octal permissions of the file/folder pointed by the path,
|
||||
--
|
||||
2.27.0
|
||||
|
@ -0,0 +1,45 @@
|
||||
From ec9c280ad24900ad078a0f371fa8b4f5f407ee90 Mon Sep 17 00:00:00 2001
|
||||
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
Date: Tue, 26 Oct 2021 21:52:45 +0200
|
||||
Subject: [PATCH] remove unnecessary EOF string in
|
||||
disable-sshd-keygen-if-cloud-init-active.conf (#1075)
|
||||
|
||||
RH-Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
RH-MergeRequest: 13: remove unnecessary EOF string in disable-sshd-keygen-if-cloud-init-active.conf (#1075)
|
||||
RH-Commit: [1/1] 4c01a4bb86a73df3212bb4cf0388b2df707eddc4 (eesposit/cloud-init-centos-)
|
||||
RH-Bugzilla: 2016305
|
||||
RH-Acked-by: Eduardo Otubo <otubo@redhat.com>
|
||||
RH-Acked-by: Mohamed Gamal Morsy <mmorsy@redhat.com>
|
||||
|
||||
commit a8380a125d40ff0ae88f2ba25a518346f2063a1a
|
||||
Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
Date: Tue Oct 26 16:15:47 2021 +0200
|
||||
|
||||
remove unnecessary EOF string in disable-sshd-keygen-if-cloud-init-active.conf (#1075)
|
||||
|
||||
Running 'systemd-analyze verify cloud-init-local.service'
|
||||
triggers the following warning:
|
||||
|
||||
disable-sshhd-keygen-if-cloud-init-active.conf:8: Missing '=', ignoring line.
|
||||
|
||||
The string "EOF" is probably a typo, so remove it.
|
||||
|
||||
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
|
||||
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
---
|
||||
systemd/disable-sshd-keygen-if-cloud-init-active.conf | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/systemd/disable-sshd-keygen-if-cloud-init-active.conf b/systemd/disable-sshd-keygen-if-cloud-init-active.conf
|
||||
index 71e35876..1a5d7a5a 100644
|
||||
--- a/systemd/disable-sshd-keygen-if-cloud-init-active.conf
|
||||
+++ b/systemd/disable-sshd-keygen-if-cloud-init-active.conf
|
||||
@@ -5,4 +5,3 @@
|
||||
#
|
||||
[Unit]
|
||||
ConditionPathExists=!/run/systemd/generator.early/multi-user.target.wants/cloud-init.target
|
||||
-EOF
|
||||
--
|
||||
2.27.0
|
||||
|
@ -0,0 +1,86 @@
|
||||
From ce346f6057377c7bb9b89703fb8855ccf4947a61 Mon Sep 17 00:00:00 2001
|
||||
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
Date: Wed, 8 Sep 2021 16:08:12 +0200
|
||||
Subject: [PATCH] ssh_utils.py: ignore when sshd_config options are not
|
||||
key/value pairs
|
||||
|
||||
RH-Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
RH-MergeRequest: 10: ssh_utils.py: ignore when sshd_config options are not key/value pairs
|
||||
RH-Commit: [1/1] 546081571e8b6b1415aae1a04660137070532fae (eesposit/cloud-init-centos-)
|
||||
RH-Bugzilla: 2002302
|
||||
RH-Acked-by: Eduardo Otubo <otubo@redhat.com>
|
||||
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||
RH-Acked-by: Mohamed Gamal Morsy <mmorsy@redhat.com>
|
||||
|
||||
TESTED: by me
|
||||
BREW: 39622506
|
||||
|
||||
commit 2ce857248162957a785af61c135ca8433fdbbcde
|
||||
Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
Date: Wed Sep 8 02:08:36 2021 +0200
|
||||
|
||||
ssh_utils.py: ignore when sshd_config options are not key/value pairs (#1007)
|
||||
|
||||
As specified in #LP 1845552,
|
||||
In cloudinit/ssh_util.py, in parse_ssh_config_lines(), we attempt to
|
||||
parse each line of sshd_config. This function expects each line to
|
||||
be one of the following forms:
|
||||
|
||||
\# comment
|
||||
key value
|
||||
key=value
|
||||
|
||||
However, options like DenyGroups and DenyUsers are specified to
|
||||
*optionally* accepts values in sshd_config.
|
||||
Cloud-init should comply to this and skip the option if a value
|
||||
is not provided.
|
||||
|
||||
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
|
||||
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||
---
|
||||
cloudinit/ssh_util.py | 8 +++++++-
|
||||
tests/unittests/test_sshutil.py | 8 ++++++++
|
||||
2 files changed, 15 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/cloudinit/ssh_util.py b/cloudinit/ssh_util.py
|
||||
index 9ccadf09..33679dcc 100644
|
||||
--- a/cloudinit/ssh_util.py
|
||||
+++ b/cloudinit/ssh_util.py
|
||||
@@ -484,7 +484,13 @@ def parse_ssh_config_lines(lines):
|
||||
try:
|
||||
key, val = line.split(None, 1)
|
||||
except ValueError:
|
||||
- key, val = line.split('=', 1)
|
||||
+ try:
|
||||
+ key, val = line.split('=', 1)
|
||||
+ except ValueError:
|
||||
+ LOG.debug(
|
||||
+ "sshd_config: option \"%s\" has no key/value pair,"
|
||||
+ " skipping it", line)
|
||||
+ continue
|
||||
ret.append(SshdConfigLine(line, key, val))
|
||||
return ret
|
||||
|
||||
diff --git a/tests/unittests/test_sshutil.py b/tests/unittests/test_sshutil.py
|
||||
index a66788bf..08e20050 100644
|
||||
--- a/tests/unittests/test_sshutil.py
|
||||
+++ b/tests/unittests/test_sshutil.py
|
||||
@@ -525,6 +525,14 @@ class TestUpdateSshConfigLines(test_helpers.CiTestCase):
|
||||
self.assertEqual([self.pwauth], result)
|
||||
self.check_line(lines[-1], self.pwauth, "no")
|
||||
|
||||
+ def test_option_without_value(self):
|
||||
+ """Implementation only accepts key-value pairs."""
|
||||
+ extended_exlines = self.exlines.copy()
|
||||
+ denyusers_opt = "DenyUsers"
|
||||
+ extended_exlines.append(denyusers_opt)
|
||||
+ lines = ssh_util.parse_ssh_config_lines(list(extended_exlines))
|
||||
+ self.assertNotIn(denyusers_opt, str(lines))
|
||||
+
|
||||
def test_single_option_updated(self):
|
||||
"""A single update should have change made and line updated."""
|
||||
opt, val = ("UsePAM", "no")
|
||||
--
|
||||
2.27.0
|
||||
|
@ -1,6 +1,6 @@
|
||||
Name: cloud-init
|
||||
Version: 21.1
|
||||
Release: 7%{?dist}
|
||||
Release: 12%{?dist}
|
||||
Summary: Cloud instance init scripts
|
||||
License: ASL 2.0 or GPLv3
|
||||
URL: http://launchpad.net/cloud-init
|
||||
@ -20,6 +20,16 @@ Patch6: ci-write-passwords-only-to-serial-console-lock-down-clo.patch
|
||||
Patch7: ci-ssh-util-allow-cloudinit-to-merge-all-ssh-keys-into-.patch
|
||||
# For bz#1979099 - [cloud-init]Customize ssh AuthorizedKeysFile causes login failure[RHEL-9.0]
|
||||
Patch8: ci-Stop-copying-ssh-system-keys-and-check-folder-permis.patch
|
||||
# For bz#1995843 - [cloudinit] Fix home permissions modified by ssh module
|
||||
Patch9: ci-Fix-home-permissions-modified-by-ssh-module-SC-338-9.patch
|
||||
# For bz#2002302 - cloud-init fails with ValueError: need more than 1 value to unpack[rhel-9]
|
||||
Patch10: ci-ssh_utils.py-ignore-when-sshd_config-options-are-not.patch
|
||||
# For bz#2002492 - util.py[WARNING]: Failed generating key type rsa to file /etc/ssh/ssh_host_rsa_key
|
||||
Patch11: ci-Inhibit-sshd-keygen-.service-if-cloud-init-is-active.patch
|
||||
# For bz#2015974 - cloud-init fails to set host key permissions correctly
|
||||
Patch12: ci-cc_ssh.py-fix-private-key-group-owner-and-permission.patch
|
||||
# For bz#2016305 - disable-sshd-keygen-if-cloud-init-active.conf:8: Missing '=', ignoring line
|
||||
Patch13: ci-remove-unnecessary-EOF-string-in-disable-sshd-keygen.patch
|
||||
|
||||
# Source-git patches
|
||||
|
||||
@ -211,12 +221,38 @@ fi
|
||||
%{_bindir}/cloud-id
|
||||
%{_libexecdir}/%{name}/ds-identify
|
||||
%{_systemdgeneratordir}/cloud-init-generator
|
||||
|
||||
%{_sysconfdir}/systemd/system/sshd-keygen@.service.d/disable-sshd-keygen-if-cloud-init-active.conf
|
||||
|
||||
%dir %{_sysconfdir}/rsyslog.d
|
||||
%config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf
|
||||
|
||||
%changelog
|
||||
* Mon Nov 01 2021 Miroslav Rezanina <mrezanin@redhat.com> - 21.1-12
|
||||
- ci-remove-unnecessary-EOF-string-in-disable-sshd-keygen.patch [bz#2016305]
|
||||
- Resolves: bz#2016305
|
||||
(disable-sshd-keygen-if-cloud-init-active.conf:8: Missing '=', ignoring line)
|
||||
|
||||
* Tue Oct 26 2021 Miroslav Rezanina <mrezanin@redhat.com> - 21.1-11
|
||||
- ci-cc_ssh.py-fix-private-key-group-owner-and-permission.patch [bz#2015974]
|
||||
- Resolves: bz#2015974
|
||||
(cloud-init fails to set host key permissions correctly)
|
||||
|
||||
* Mon Oct 18 2021 Miroslav Rezanina <mrezanin@redhat.com> - 21.1-10
|
||||
- ci-Inhibit-sshd-keygen-.service-if-cloud-init-is-active.patch [bz#2002492]
|
||||
- ci-add-the-drop-in-also-in-the-files-section-of-cloud-i.patch [bz#2002492]
|
||||
- Resolves: bz#2002492
|
||||
(util.py[WARNING]: Failed generating key type rsa to file /etc/ssh/ssh_host_rsa_key)
|
||||
|
||||
* Fri Sep 10 2021 Miroslav Rezanina <mrezanin@redhat.com> - 21.1-9
|
||||
- ci-ssh_utils.py-ignore-when-sshd_config-options-are-not.patch [bz#2002302]
|
||||
- Resolves: bz#2002302
|
||||
(cloud-init fails with ValueError: need more than 1 value to unpack[rhel-9])
|
||||
|
||||
* Fri Sep 03 2021 Miroslav Rezanina <mrezanin@redhat.com> - 21.1-8
|
||||
- ci-Fix-home-permissions-modified-by-ssh-module-SC-338-9.patch [bz#1995843]
|
||||
- Resolves: bz#1995843
|
||||
([cloudinit] Fix home permissions modified by ssh module)
|
||||
|
||||
* Mon Aug 16 2021 Miroslav Rezanina <mrezanin@redhat.com> - 21.1-7
|
||||
- ci-Stop-copying-ssh-system-keys-and-check-folder-permis.patch [bz#1979099]
|
||||
- ci-Report-full-specific-version-with-cloud-init-version.patch [bz#1971002]
|
||||
|
Loading…
Reference in New Issue
Block a user