|
|
e24810 |
From 8dc357c036e393ae7d869d3074377f5447fa9b77 Mon Sep 17 00:00:00 2001
|
|
|
e24810 |
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
|
|
e24810 |
Date: Tue, 26 Oct 2021 22:18:06 +0200
|
|
|
e24810 |
Subject: [PATCH] cc_ssh.py: fix private key group owner and permissions
|
|
|
e24810 |
(#1070)
|
|
|
e24810 |
|
|
|
e24810 |
RH-Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
|
|
e24810 |
RH-MergeRequest: 34: cc_ssh.py: fix private key group owner and permissions (#1070)
|
|
|
e24810 |
RH-Commit: [1/1] 6dfd47416dd2cb7ed3822199c43cbd2fdada7aa1 (eesposit/cloud-init)
|
|
|
e24810 |
RH-Bugzilla: 2017697
|
|
|
e24810 |
RH-Acked-by: Eduardo Otubo <otubo@redhat.com>
|
|
|
e24810 |
RH-Acked-by: Mohamed Gamal Morsy <mmorsy@redhat.com>
|
|
|
e24810 |
|
|
|
e24810 |
commit ee296ced9c0a61b1484d850b807c601bcd670ec1
|
|
|
e24810 |
Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
|
|
e24810 |
Date: Tue Oct 19 21:32:10 2021 +0200
|
|
|
e24810 |
|
|
|
e24810 |
cc_ssh.py: fix private key group owner and permissions (#1070)
|
|
|
e24810 |
|
|
|
e24810 |
When default host keys are created by sshd-keygen (/etc/ssh/ssh_host_*_key)
|
|
|
e24810 |
in RHEL/CentOS/Fedora, openssh it performs the following:
|
|
|
e24810 |
|
|
|
e24810 |
# create new keys
|
|
|
e24810 |
if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
|
|
|
e24810 |
exit 1
|
|
|
e24810 |
fi
|
|
|
e24810 |
|
|
|
e24810 |
# sanitize permissions
|
|
|
e24810 |
/usr/bin/chgrp ssh_keys $KEY
|
|
|
e24810 |
/usr/bin/chmod 640 $KEY
|
|
|
e24810 |
/usr/bin/chmod 644 $KEY.pub
|
|
|
e24810 |
Note that the group ssh_keys exists only in RHEL/CentOS/Fedora.
|
|
|
e24810 |
|
|
|
e24810 |
Now that we disable sshd-keygen to allow only cloud-init to create
|
|
|
e24810 |
them, we miss the "sanitize permissions" part, where we set the group
|
|
|
e24810 |
owner as ssh_keys and the private key mode to 640.
|
|
|
e24810 |
|
|
|
e24810 |
According to https://bugzilla.redhat.com/show_bug.cgi?id=2013644#c8, failing
|
|
|
e24810 |
to set group ownership and permissions like openssh does makes the RHEL openscap
|
|
|
e24810 |
tool generate an error.
|
|
|
e24810 |
|
|
|
e24810 |
Signed-off-by: Emanuele Giuseppe Esposito eesposit@redhat.com
|
|
|
e24810 |
|
|
|
e24810 |
RHBZ: 2013644
|
|
|
e24810 |
|
|
|
e24810 |
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
|
|
e24810 |
---
|
|
|
e24810 |
cloudinit/config/cc_ssh.py | 7 +++++++
|
|
|
e24810 |
cloudinit/util.py | 14 ++++++++++++++
|
|
|
e24810 |
2 files changed, 21 insertions(+)
|
|
|
e24810 |
|
|
|
e24810 |
diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py
|
|
|
e24810 |
index 05a16dbc..4e986c55 100755
|
|
|
e24810 |
--- a/cloudinit/config/cc_ssh.py
|
|
|
e24810 |
+++ b/cloudinit/config/cc_ssh.py
|
|
|
e24810 |
@@ -240,6 +240,13 @@ def handle(_name, cfg, cloud, log, _args):
|
|
|
e24810 |
try:
|
|
|
e24810 |
out, err = subp.subp(cmd, capture=True, env=lang_c)
|
|
|
e24810 |
sys.stdout.write(util.decode_binary(out))
|
|
|
e24810 |
+
|
|
|
e24810 |
+ gid = util.get_group_id("ssh_keys")
|
|
|
e24810 |
+ if gid != -1:
|
|
|
e24810 |
+ # perform same "sanitize permissions" as sshd-keygen
|
|
|
e24810 |
+ os.chown(keyfile, -1, gid)
|
|
|
e24810 |
+ os.chmod(keyfile, 0o640)
|
|
|
e24810 |
+ os.chmod(keyfile + ".pub", 0o644)
|
|
|
e24810 |
except subp.ProcessExecutionError as e:
|
|
|
e24810 |
err = util.decode_binary(e.stderr).lower()
|
|
|
e24810 |
if (e.exit_code == 1 and
|
|
|
e24810 |
diff --git a/cloudinit/util.py b/cloudinit/util.py
|
|
|
e24810 |
index 343976ad..fe37ae89 100644
|
|
|
e24810 |
--- a/cloudinit/util.py
|
|
|
e24810 |
+++ b/cloudinit/util.py
|
|
|
e24810 |
@@ -1831,6 +1831,20 @@ def chmod(path, mode):
|
|
|
e24810 |
os.chmod(path, real_mode)
|
|
|
e24810 |
|
|
|
e24810 |
|
|
|
e24810 |
+def get_group_id(grp_name: str) -> int:
|
|
|
e24810 |
+ """
|
|
|
e24810 |
+ Returns the group id of a group name, or -1 if no group exists
|
|
|
e24810 |
+
|
|
|
e24810 |
+ @param grp_name: the name of the group
|
|
|
e24810 |
+ """
|
|
|
e24810 |
+ gid = -1
|
|
|
e24810 |
+ try:
|
|
|
e24810 |
+ gid = grp.getgrnam(grp_name).gr_gid
|
|
|
e24810 |
+ except KeyError:
|
|
|
e24810 |
+ LOG.debug("Group %s is not a valid group name", grp_name)
|
|
|
e24810 |
+ return gid
|
|
|
e24810 |
+
|
|
|
e24810 |
+
|
|
|
e24810 |
def get_permissions(path: str) -> int:
|
|
|
e24810 |
"""
|
|
|
e24810 |
Returns the octal permissions of the file/folder pointed by the path,
|
|
|
e24810 |
--
|
|
|
e24810 |
2.27.0
|
|
|
e24810 |
|