From 8dc357c036e393ae7d869d3074377f5447fa9b77 Mon Sep 17 00:00:00 2001 From: Emanuele Giuseppe Esposito Date: Tue, 26 Oct 2021 22:18:06 +0200 Subject: [PATCH] cc_ssh.py: fix private key group owner and permissions (#1070) RH-Author: Emanuele Giuseppe Esposito RH-MergeRequest: 34: cc_ssh.py: fix private key group owner and permissions (#1070) RH-Commit: [1/1] 6dfd47416dd2cb7ed3822199c43cbd2fdada7aa1 (eesposit/cloud-init) RH-Bugzilla: 2017697 RH-Acked-by: Eduardo Otubo RH-Acked-by: Mohamed Gamal Morsy commit ee296ced9c0a61b1484d850b807c601bcd670ec1 Author: Emanuele Giuseppe Esposito Date: Tue Oct 19 21:32:10 2021 +0200 cc_ssh.py: fix private key group owner and permissions (#1070) When default host keys are created by sshd-keygen (/etc/ssh/ssh_host_*_key) in RHEL/CentOS/Fedora, openssh it performs the following: # create new keys if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then exit 1 fi # sanitize permissions /usr/bin/chgrp ssh_keys $KEY /usr/bin/chmod 640 $KEY /usr/bin/chmod 644 $KEY.pub Note that the group ssh_keys exists only in RHEL/CentOS/Fedora. Now that we disable sshd-keygen to allow only cloud-init to create them, we miss the "sanitize permissions" part, where we set the group owner as ssh_keys and the private key mode to 640. According to https://bugzilla.redhat.com/show_bug.cgi?id=2013644#c8, failing to set group ownership and permissions like openssh does makes the RHEL openscap tool generate an error. Signed-off-by: Emanuele Giuseppe Esposito eesposit@redhat.com RHBZ: 2013644 Signed-off-by: Emanuele Giuseppe Esposito --- cloudinit/config/cc_ssh.py | 7 +++++++ cloudinit/util.py | 14 ++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py index 05a16dbc..4e986c55 100755 --- a/cloudinit/config/cc_ssh.py +++ b/cloudinit/config/cc_ssh.py @@ -240,6 +240,13 @@ def handle(_name, cfg, cloud, log, _args): try: out, err = subp.subp(cmd, capture=True, env=lang_c) sys.stdout.write(util.decode_binary(out)) + + gid = util.get_group_id("ssh_keys") + if gid != -1: + # perform same "sanitize permissions" as sshd-keygen + os.chown(keyfile, -1, gid) + os.chmod(keyfile, 0o640) + os.chmod(keyfile + ".pub", 0o644) except subp.ProcessExecutionError as e: err = util.decode_binary(e.stderr).lower() if (e.exit_code == 1 and diff --git a/cloudinit/util.py b/cloudinit/util.py index 343976ad..fe37ae89 100644 --- a/cloudinit/util.py +++ b/cloudinit/util.py @@ -1831,6 +1831,20 @@ def chmod(path, mode): os.chmod(path, real_mode) +def get_group_id(grp_name: str) -> int: + """ + Returns the group id of a group name, or -1 if no group exists + + @param grp_name: the name of the group + """ + gid = -1 + try: + gid = grp.getgrnam(grp_name).gr_gid + except KeyError: + LOG.debug("Group %s is not a valid group name", grp_name) + return gid + + def get_permissions(path: str) -> int: """ Returns the octal permissions of the file/folder pointed by the path, -- 2.27.0