From 2a6b3b5afb20a7856ad81b3ec3da621571c3bec3 Mon Sep 17 00:00:00 2001

From: Emanuele Giuseppe Esposito <eesposit@redhat.com>

Date: Wed, 20 Oct 2021 10:41:36 +0200

Subject: [PATCH] cc_ssh.py: fix private key group owner and permissions

 (#1070)

RH-Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>

RH-MergeRequest: 12: cc_ssh.py: fix private key group owner and permissions (#1070)

RH-Commit: [1/1] b2dc9cfd18ac0a8e1e22a37b1585d22dbde11536 (eesposit/cloud-init-centos-)

RH-Bugzilla: 2015974

RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>

RH-Acked-by: Mohamed Gamal Morsy <mmorsy@redhat.com>

commit ee296ced9c0a61b1484d850b807c601bcd670ec1

Author: Emanuele Giuseppe Esposito <eesposit@redhat.com>

Date:   Tue Oct 19 21:32:10 2021 +0200

    cc_ssh.py: fix private key group owner and permissions (#1070)

    When default host keys are created by sshd-keygen (/etc/ssh/ssh_host_*_key)

    in RHEL/CentOS/Fedora, openssh it performs the following:

    // create new keys

    if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then

            exit 1

    fi

    // sanitize permissions

    /usr/bin/chgrp ssh_keys $KEY

    /usr/bin/chmod 640 $KEY

    /usr/bin/chmod 644 $KEY.pub

    Note that the group ssh_keys exists only in RHEL/CentOS/Fedora.

    Now that we disable sshd-keygen to allow only cloud-init to create

    them, we miss the "sanitize permissions" part, where we set the group

    owner as ssh_keys and the private key mode to 640.

    According to https://bugzilla.redhat.com/show_bug.cgi?id=2013644#c8, failing

    to set group ownership and permissions like openssh does makes the RHEL openscap

    tool generate an error.

    Signed-off-by: Emanuele Giuseppe Esposito eesposit@redhat.com

    RHBZ: 2013644

Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>

---

 cloudinit/config/cc_ssh.py |  7 +++++++

 cloudinit/util.py          | 14 ++++++++++++++

 2 files changed, 21 insertions(+)

diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py

index 05a16dbc..4e986c55 100755

--- a/cloudinit/config/cc_ssh.py

+++ b/cloudinit/config/cc_ssh.py

@@ -240,6 +240,13 @@ def handle(_name, cfg, cloud, log, _args):

                 try:

                     out, err = subp.subp(cmd, capture=True, env=lang_c)

                     sys.stdout.write(util.decode_binary(out))

+

+                    gid = util.get_group_id("ssh_keys")

+                    if gid != -1:

+                        # perform same "sanitize permissions" as sshd-keygen

+                        os.chown(keyfile, -1, gid)

+                        os.chmod(keyfile, 0o640)

+                        os.chmod(keyfile + ".pub", 0o644)

                 except subp.ProcessExecutionError as e:

                     err = util.decode_binary(e.stderr).lower()

                     if (e.exit_code == 1 and

diff --git a/cloudinit/util.py b/cloudinit/util.py

index 343976ad..fe37ae89 100644

--- a/cloudinit/util.py

+++ b/cloudinit/util.py

@@ -1831,6 +1831,20 @@ def chmod(path, mode):

             os.chmod(path, real_mode)

+def get_group_id(grp_name: str) -> int:

+    """

+    Returns the group id of a group name, or -1 if no group exists

+

+    @param grp_name: the name of the group

+    """

+    gid = -1

+    try:

+        gid = grp.getgrnam(grp_name).gr_gid

+    except KeyError:

+        LOG.debug("Group %s is not a valid group name", grp_name)

+    return gid

+

+

 def get_permissions(path: str) -> int:

     """

     Returns the octal permissions of the file/folder pointed by the path,

-- 

2.27.0