* Tue Oct 26 2021 Miroslav Rezanina <mrezanin@redhat.com> - 21.1-11
- ci-cc_ssh.py-fix-private-key-group-owner-and-permission.patch [bz#2015974] - Resolves: bz#2015974 (cloud-init fails to set host key permissions correctly)
This commit is contained in:
parent
7202aee4b8
commit
af64297720
@ -0,0 +1,97 @@
|
|||||||
|
From 2a6b3b5afb20a7856ad81b3ec3da621571c3bec3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
Date: Wed, 20 Oct 2021 10:41:36 +0200
|
||||||
|
Subject: [PATCH] cc_ssh.py: fix private key group owner and permissions
|
||||||
|
(#1070)
|
||||||
|
|
||||||
|
RH-Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
RH-MergeRequest: 12: cc_ssh.py: fix private key group owner and permissions (#1070)
|
||||||
|
RH-Commit: [1/1] b2dc9cfd18ac0a8e1e22a37b1585d22dbde11536 (eesposit/cloud-init-centos-)
|
||||||
|
RH-Bugzilla: 2015974
|
||||||
|
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||||
|
RH-Acked-by: Mohamed Gamal Morsy <mmorsy@redhat.com>
|
||||||
|
|
||||||
|
commit ee296ced9c0a61b1484d850b807c601bcd670ec1
|
||||||
|
Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
Date: Tue Oct 19 21:32:10 2021 +0200
|
||||||
|
|
||||||
|
cc_ssh.py: fix private key group owner and permissions (#1070)
|
||||||
|
|
||||||
|
When default host keys are created by sshd-keygen (/etc/ssh/ssh_host_*_key)
|
||||||
|
in RHEL/CentOS/Fedora, openssh it performs the following:
|
||||||
|
|
||||||
|
// create new keys
|
||||||
|
if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
// sanitize permissions
|
||||||
|
/usr/bin/chgrp ssh_keys $KEY
|
||||||
|
/usr/bin/chmod 640 $KEY
|
||||||
|
/usr/bin/chmod 644 $KEY.pub
|
||||||
|
Note that the group ssh_keys exists only in RHEL/CentOS/Fedora.
|
||||||
|
|
||||||
|
Now that we disable sshd-keygen to allow only cloud-init to create
|
||||||
|
them, we miss the "sanitize permissions" part, where we set the group
|
||||||
|
owner as ssh_keys and the private key mode to 640.
|
||||||
|
|
||||||
|
According to https://bugzilla.redhat.com/show_bug.cgi?id=2013644#c8, failing
|
||||||
|
to set group ownership and permissions like openssh does makes the RHEL openscap
|
||||||
|
tool generate an error.
|
||||||
|
|
||||||
|
Signed-off-by: Emanuele Giuseppe Esposito eesposit@redhat.com
|
||||||
|
|
||||||
|
RHBZ: 2013644
|
||||||
|
|
||||||
|
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
||||||
|
---
|
||||||
|
cloudinit/config/cc_ssh.py | 7 +++++++
|
||||||
|
cloudinit/util.py | 14 ++++++++++++++
|
||||||
|
2 files changed, 21 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py
|
||||||
|
index 05a16dbc..4e986c55 100755
|
||||||
|
--- a/cloudinit/config/cc_ssh.py
|
||||||
|
+++ b/cloudinit/config/cc_ssh.py
|
||||||
|
@@ -240,6 +240,13 @@ def handle(_name, cfg, cloud, log, _args):
|
||||||
|
try:
|
||||||
|
out, err = subp.subp(cmd, capture=True, env=lang_c)
|
||||||
|
sys.stdout.write(util.decode_binary(out))
|
||||||
|
+
|
||||||
|
+ gid = util.get_group_id("ssh_keys")
|
||||||
|
+ if gid != -1:
|
||||||
|
+ # perform same "sanitize permissions" as sshd-keygen
|
||||||
|
+ os.chown(keyfile, -1, gid)
|
||||||
|
+ os.chmod(keyfile, 0o640)
|
||||||
|
+ os.chmod(keyfile + ".pub", 0o644)
|
||||||
|
except subp.ProcessExecutionError as e:
|
||||||
|
err = util.decode_binary(e.stderr).lower()
|
||||||
|
if (e.exit_code == 1 and
|
||||||
|
diff --git a/cloudinit/util.py b/cloudinit/util.py
|
||||||
|
index 343976ad..fe37ae89 100644
|
||||||
|
--- a/cloudinit/util.py
|
||||||
|
+++ b/cloudinit/util.py
|
||||||
|
@@ -1831,6 +1831,20 @@ def chmod(path, mode):
|
||||||
|
os.chmod(path, real_mode)
|
||||||
|
|
||||||
|
|
||||||
|
+def get_group_id(grp_name: str) -> int:
|
||||||
|
+ """
|
||||||
|
+ Returns the group id of a group name, or -1 if no group exists
|
||||||
|
+
|
||||||
|
+ @param grp_name: the name of the group
|
||||||
|
+ """
|
||||||
|
+ gid = -1
|
||||||
|
+ try:
|
||||||
|
+ gid = grp.getgrnam(grp_name).gr_gid
|
||||||
|
+ except KeyError:
|
||||||
|
+ LOG.debug("Group %s is not a valid group name", grp_name)
|
||||||
|
+ return gid
|
||||||
|
+
|
||||||
|
+
|
||||||
|
def get_permissions(path: str) -> int:
|
||||||
|
"""
|
||||||
|
Returns the octal permissions of the file/folder pointed by the path,
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
@ -1,6 +1,6 @@
|
|||||||
Name: cloud-init
|
Name: cloud-init
|
||||||
Version: 21.1
|
Version: 21.1
|
||||||
Release: 10%{?dist}
|
Release: 11%{?dist}
|
||||||
Summary: Cloud instance init scripts
|
Summary: Cloud instance init scripts
|
||||||
License: ASL 2.0 or GPLv3
|
License: ASL 2.0 or GPLv3
|
||||||
URL: http://launchpad.net/cloud-init
|
URL: http://launchpad.net/cloud-init
|
||||||
@ -26,6 +26,8 @@ Patch9: ci-Fix-home-permissions-modified-by-ssh-module-SC-338-9.patch
|
|||||||
Patch10: ci-ssh_utils.py-ignore-when-sshd_config-options-are-not.patch
|
Patch10: ci-ssh_utils.py-ignore-when-sshd_config-options-are-not.patch
|
||||||
# For bz#2002492 - util.py[WARNING]: Failed generating key type rsa to file /etc/ssh/ssh_host_rsa_key
|
# For bz#2002492 - util.py[WARNING]: Failed generating key type rsa to file /etc/ssh/ssh_host_rsa_key
|
||||||
Patch11: ci-Inhibit-sshd-keygen-.service-if-cloud-init-is-active.patch
|
Patch11: ci-Inhibit-sshd-keygen-.service-if-cloud-init-is-active.patch
|
||||||
|
# For bz#2015974 - cloud-init fails to set host key permissions correctly
|
||||||
|
Patch12: ci-cc_ssh.py-fix-private-key-group-owner-and-permission.patch
|
||||||
|
|
||||||
# Source-git patches
|
# Source-git patches
|
||||||
|
|
||||||
@ -223,6 +225,11 @@ fi
|
|||||||
%config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf
|
%config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Oct 26 2021 Miroslav Rezanina <mrezanin@redhat.com> - 21.1-11
|
||||||
|
- ci-cc_ssh.py-fix-private-key-group-owner-and-permission.patch [bz#2015974]
|
||||||
|
- Resolves: bz#2015974
|
||||||
|
(cloud-init fails to set host key permissions correctly)
|
||||||
|
|
||||||
* Mon Oct 18 2021 Miroslav Rezanina <mrezanin@redhat.com> - 21.1-10
|
* Mon Oct 18 2021 Miroslav Rezanina <mrezanin@redhat.com> - 21.1-10
|
||||||
- ci-Inhibit-sshd-keygen-.service-if-cloud-init-is-active.patch [bz#2002492]
|
- ci-Inhibit-sshd-keygen-.service-if-cloud-init-is-active.patch [bz#2002492]
|
||||||
- ci-add-the-drop-in-also-in-the-files-section-of-cloud-i.patch [bz#2002492]
|
- ci-add-the-drop-in-also-in-the-files-section-of-cloud-i.patch [bz#2002492]
|
||||||
|
Loading…
Reference in New Issue
Block a user