From 2a6b3b5afb20a7856ad81b3ec3da621571c3bec3 Mon Sep 17 00:00:00 2001
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Date: Wed, 20 Oct 2021 10:41:36 +0200
Subject: [PATCH] cc_ssh.py: fix private key group owner and permissions
 (#1070)

RH-Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
RH-MergeRequest: 12: cc_ssh.py: fix private key group owner and permissions (#1070)
RH-Commit: [1/1] b2dc9cfd18ac0a8e1e22a37b1585d22dbde11536 (eesposit/cloud-init-centos-)
RH-Bugzilla: 2015974
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
RH-Acked-by: Mohamed Gamal Morsy <mmorsy@redhat.com>

commit ee296ced9c0a61b1484d850b807c601bcd670ec1
Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Date:   Tue Oct 19 21:32:10 2021 +0200

    cc_ssh.py: fix private key group owner and permissions (#1070)

    When default host keys are created by sshd-keygen (/etc/ssh/ssh_host_*_key)
    in RHEL/CentOS/Fedora, openssh it performs the following:

    // create new keys
    if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
            exit 1
    fi

    // sanitize permissions
    /usr/bin/chgrp ssh_keys $KEY
    /usr/bin/chmod 640 $KEY
    /usr/bin/chmod 644 $KEY.pub
    Note that the group ssh_keys exists only in RHEL/CentOS/Fedora.

    Now that we disable sshd-keygen to allow only cloud-init to create
    them, we miss the "sanitize permissions" part, where we set the group
    owner as ssh_keys and the private key mode to 640.

    According to https://bugzilla.redhat.com/show_bug.cgi?id=2013644#c8, failing
    to set group ownership and permissions like openssh does makes the RHEL openscap
    tool generate an error.

    Signed-off-by: Emanuele Giuseppe Esposito eesposit@redhat.com

    RHBZ: 2013644

Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
---
 cloudinit/config/cc_ssh.py |  7 +++++++
 cloudinit/util.py          | 14 ++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py
index 05a16dbc..4e986c55 100755
--- a/cloudinit/config/cc_ssh.py
+++ b/cloudinit/config/cc_ssh.py
@@ -240,6 +240,13 @@ def handle(_name, cfg, cloud, log, _args):
                 try:
                     out, err = subp.subp(cmd, capture=True, env=lang_c)
                     sys.stdout.write(util.decode_binary(out))
+
+                    gid = util.get_group_id("ssh_keys")
+                    if gid != -1:
+                        # perform same "sanitize permissions" as sshd-keygen
+                        os.chown(keyfile, -1, gid)
+                        os.chmod(keyfile, 0o640)
+                        os.chmod(keyfile + ".pub", 0o644)
                 except subp.ProcessExecutionError as e:
                     err = util.decode_binary(e.stderr).lower()
                     if (e.exit_code == 1 and
diff --git a/cloudinit/util.py b/cloudinit/util.py
index 343976ad..fe37ae89 100644
--- a/cloudinit/util.py
+++ b/cloudinit/util.py
@@ -1831,6 +1831,20 @@ def chmod(path, mode):
             os.chmod(path, real_mode)
 
 
+def get_group_id(grp_name: str) -> int:
+    """
+    Returns the group id of a group name, or -1 if no group exists
+
+    @param grp_name: the name of the group
+    """
+    gid = -1
+    try:
+        gid = grp.getgrnam(grp_name).gr_gid
+    except KeyError:
+        LOG.debug("Group %s is not a valid group name", grp_name)
+    return gid
+
+
 def get_permissions(path: str) -> int:
     """
     Returns the octal permissions of the file/folder pointed by the path,
-- 
2.27.0