[Group.of.nepali.translators] [Bug 1644064] Re: sshd_config file permission changed to 644 if ssh_pwauth value is true or false
This bug is believed to be fixed in cloud-init in 17.1. If this is still a problem for you, please make a comment and set the state back to New Thank you. ** Changed in: cloud-init Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1644064 Title: sshd_config file permission changed to 644 if ssh_pwauth value is true or false Status in cloud-init: Fix Released Status in cloud-init package in Ubuntu: Fix Released Status in cloud-init source package in Xenial: Fix Released Status in cloud-init source package in Yakkety: Fix Released Status in cloud-init source package in Zesty: Fix Released Status in cloud-init source package in Artful: Fix Released Bug description: === Begin SRU Template === [Impact] Existing security permissions on /etc/ssh/sshd_config file are not honored. [Test Case] wget https://git.launchpad.net/~smoser/cloud-init/+git/sru-info/plain/bin/lxc-proposed-snapshot chmod 755 lxc-proposed-snapshot # create config.yaml cat config.yaml #cloud-config ssh_pwauth: true name=proposed-test for release in xenial yakkety zesty; do \ ref=$release-proposed; lxc-proposed-snapshot --proposed --publish $release $ref; lxc init $ref $name; lxc file pull $name/etc/ssh/sshd_config .; chmod 600 sshd_config; lxc file push sshd_config $name/etc/ssh/sshd_config; lxc config set $name user.user-data - < config.yml; lxc start; sleep 10; lxc exec $name ls -ltr /etc/ssh/sshd_config; # should remain 600 lxc stop $name; lxc delete $name; done [Regression Potential] Minimal as we are now honoring file permissions if an sshd_config file exists. [Other Info] === End SRU Template === In my deploy image, the default permission of sshd_config file is 600. It always be changed to 644 after cloud-init run. After debug, it is caused by cloud-config item: ssh_pwauth: true The related code is: lines = [str(l) for l in new_lines] util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines)) of file cc_set_passwords.py. write_file function use default mask 644 to write sshd_config. So my file permission changed. It shall be enhanced to read old sshd_config permission and write new sshd_config with old permission to avoid security issue. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1644064/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1644064] Re: sshd_config file permission changed to 644 if ssh_pwauth value is true or false
This bug was fixed in the package cloud-init - 0.7.9-113-g513e99e0-0ubuntu1~17.04.1 --- cloud-init (0.7.9-113-g513e99e0-0ubuntu1~17.04.1) zesty; urgency=medium * debian/update-grub-legacy-ec2: fix early exit failure no /etc/fstab file. (LP: #1682160) * New upstream snapshot. - nova-lxd: read product_name from environment, not platform. (LP: #1685810) - Fix yum repo config where keys contain array values [Dylan Perry] - template: Update debian backports template [Joshua Powers] - rsyslog: replace ~ with stop [Joshua Powers] (LP: #1367899) - Doc: add additional RTD examples [Joshua Powers] - Fix growpart for some cases when booted with root=PARTUUID. (LP: #1684869) - pylint: update output style to parseable [Joshua Powers] - pylint: fix all logging warnings [Joshua Powers] - CloudStack: Add NetworkManager to list of supported DHCP lease dirs. [Syed Mushtaq Ahmed] - net: kernel lies about vlans not stealing mac addresses, when they do [Dimitri John Ledkov] (LP: #1682871) - ds-identify: Check correct path for "latest" config drive [Daniel Watkins] (LP: #1673637) - doc: Fix example for resolv.conf configuration. [Jon Grimm] - Fix examples that reference upstream chef repository. [Jon Grimm] - doc: correct grammar and improve clarity in merging documentation. [David Tagatac] - doc: Add missing doc link to snap-config module. [Ryan Harper] - snap: allows for creating cloud-init snap [Joshua Powers] - DigitalOcean: assign IPv4ll address to lowest indexed interface. [Ben Howard] (LP: #1676908) - DigitalOcean: configure all NICs presented in meta-data. [Ben Howard] (LP: #1676908) - Remove (and/or fix) URL shortener references [Jon Grimm] - HACKING.rst: more info on filling out contributors agreement. - util: teach write_file about copy_mode option [Lars Kellogg-Stedman] (LP: #1644064) - DigitalOcean: bind resolvers to loopback interface. [Ben Howard] (LP: #1676908) - tests: fix AltCloud tests to not rely on blkid (LP: #1636531) -- Scott MoserThu, 27 Apr 2017 15:09:31 -0400 ** Changed in: cloud-init (Ubuntu Zesty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1644064 Title: sshd_config file permission changed to 644 if ssh_pwauth value is true or false Status in cloud-init: Fix Committed Status in cloud-init package in Ubuntu: Fix Released Status in cloud-init source package in Xenial: Fix Released Status in cloud-init source package in Yakkety: Fix Released Status in cloud-init source package in Zesty: Fix Released Status in cloud-init source package in Artful: Fix Released Bug description: === Begin SRU Template === [Impact] Existing security permissions on /etc/ssh/sshd_config file are not honored. [Test Case] wget https://git.launchpad.net/~smoser/cloud-init/+git/sru-info/plain/bin/lxc-proposed-snapshot chmod 755 lxc-proposed-snapshot # create config.yaml cat config.yaml #cloud-config ssh_pwauth: true name=proposed-test for release in xenial yakkety zesty; do \ ref=$release-proposed; lxc-proposed-snapshot --proposed --publish $release $ref; lxc init $ref $name; lxc file pull $name/etc/ssh/sshd_config .; chmod 600 sshd_config; lxc file push sshd_config $name/etc/ssh/sshd_config; lxc config set $name user.user-data - < config.yml; lxc start; sleep 10; lxc exec $name ls -ltr /etc/ssh/sshd_config; # should remain 600 lxc stop $name; lxc delete $name; done [Regression Potential] Minimal as we are now honoring file permissions if an sshd_config file exists. [Other Info] === End SRU Template === In my deploy image, the default permission of sshd_config file is 600. It always be changed to 644 after cloud-init run. After debug, it is caused by cloud-config item: ssh_pwauth: true The related code is: lines = [str(l) for l in new_lines] util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines)) of file cc_set_passwords.py. write_file function use default mask 644 to write sshd_config. So my file permission changed. It shall be enhanced to read old sshd_config permission and write new sshd_config with old permission to avoid security issue. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1644064/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1644064] Re: sshd_config file permission changed to 644 if ssh_pwauth value is true or false
This bug was fixed in the package cloud-init - 0.7.9-113-g513e99e0-0ubuntu1~16.10.1 --- cloud-init (0.7.9-113-g513e99e0-0ubuntu1~16.10.1) yakkety; urgency=medium * debian/update-grub-legacy-ec2: fix early exit failure no /etc/fstab file. (LP: #1682160) * New upstream snapshot. - nova-lxd: read product_name from environment, not platform. (LP: #1685810) - Fix yum repo config where keys contain array values [Dylan Perry] - template: Update debian backports template [Joshua Powers] - rsyslog: replace ~ with stop [Joshua Powers] (LP: #1367899) - Doc: add additional RTD examples [Joshua Powers] - Fix growpart for some cases when booted with root=PARTUUID. (LP: #1684869) - pylint: update output style to parseable [Joshua Powers] - pylint: fix all logging warnings [Joshua Powers] - CloudStack: Add NetworkManager to list of supported DHCP lease dirs. [Syed Mushtaq Ahmed] - net: kernel lies about vlans not stealing mac addresses, when they do [Dimitri John Ledkov] (LP: #1682871) - ds-identify: Check correct path for "latest" config drive [Daniel Watkins] (LP: #1673637) - doc: Fix example for resolv.conf configuration. [Jon Grimm] - Fix examples that reference upstream chef repository. [Jon Grimm] - doc: correct grammar and improve clarity in merging documentation. [David Tagatac] - doc: Add missing doc link to snap-config module. [Ryan Harper] - snap: allows for creating cloud-init snap [Joshua Powers] - DigitalOcean: assign IPv4ll address to lowest indexed interface. [Ben Howard] (LP: #1676908) - DigitalOcean: configure all NICs presented in meta-data. [Ben Howard] (LP: #1676908) - Remove (and/or fix) URL shortener references [Jon Grimm] - HACKING.rst: more info on filling out contributors agreement. - util: teach write_file about copy_mode option [Lars Kellogg-Stedman] (LP: #1644064) - DigitalOcean: bind resolvers to loopback interface. [Ben Howard] (LP: #1676908) - tests: fix AltCloud tests to not rely on blkid (LP: #1636531) -- Scott MoserThu, 27 Apr 2017 13:38:40 -0400 ** Changed in: cloud-init (Ubuntu Yakkety) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1644064 Title: sshd_config file permission changed to 644 if ssh_pwauth value is true or false Status in cloud-init: Fix Committed Status in cloud-init package in Ubuntu: Fix Released Status in cloud-init source package in Xenial: Fix Released Status in cloud-init source package in Yakkety: Fix Released Status in cloud-init source package in Zesty: Fix Released Status in cloud-init source package in Artful: Fix Released Bug description: === Begin SRU Template === [Impact] Existing security permissions on /etc/ssh/sshd_config file are not honored. [Test Case] wget https://git.launchpad.net/~smoser/cloud-init/+git/sru-info/plain/bin/lxc-proposed-snapshot chmod 755 lxc-proposed-snapshot # create config.yaml cat config.yaml #cloud-config ssh_pwauth: true name=proposed-test for release in xenial yakkety zesty; do \ ref=$release-proposed; lxc-proposed-snapshot --proposed --publish $release $ref; lxc init $ref $name; lxc file pull $name/etc/ssh/sshd_config .; chmod 600 sshd_config; lxc file push sshd_config $name/etc/ssh/sshd_config; lxc config set $name user.user-data - < config.yml; lxc start; sleep 10; lxc exec $name ls -ltr /etc/ssh/sshd_config; # should remain 600 lxc stop $name; lxc delete $name; done [Regression Potential] Minimal as we are now honoring file permissions if an sshd_config file exists. [Other Info] === End SRU Template === In my deploy image, the default permission of sshd_config file is 600. It always be changed to 644 after cloud-init run. After debug, it is caused by cloud-config item: ssh_pwauth: true The related code is: lines = [str(l) for l in new_lines] util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines)) of file cc_set_passwords.py. write_file function use default mask 644 to write sshd_config. So my file permission changed. It shall be enhanced to read old sshd_config permission and write new sshd_config with old permission to avoid security issue. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1644064/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1644064] Re: sshd_config file permission changed to 644 if ssh_pwauth value is true or false
This bug was fixed in the package cloud-init - 0.7.9-113-g513e99e0-0ubuntu1~16.04.1 --- cloud-init (0.7.9-113-g513e99e0-0ubuntu1~16.04.1) xenial-proposed; urgency=medium * debian/update-grub-legacy-ec2: fix early exit failure no /etc/fstab file. (LP: #1682160) * New upstream snapshot. - nova-lxd: read product_name from environment, not platform. (LP: #1685810) - Fix yum repo config where keys contain array values [Dylan Perry] - template: Update debian backports template [Joshua Powers] - rsyslog: replace ~ with stop [Joshua Powers] (LP: #1367899) - Doc: add additional RTD examples [Joshua Powers] - Fix growpart for some cases when booted with root=PARTUUID. (LP: #1684869) - pylint: update output style to parseable [Joshua Powers] - pylint: fix all logging warnings [Joshua Powers] - CloudStack: Add NetworkManager to list of supported DHCP lease dirs. [Syed Mushtaq Ahmed] - net: kernel lies about vlans not stealing mac addresses, when they do [Dimitri John Ledkov] (LP: #1682871) - ds-identify: Check correct path for "latest" config drive [Daniel Watkins] (LP: #1673637) - doc: Fix example for resolv.conf configuration. [Jon Grimm] - Fix examples that reference upstream chef repository. [Jon Grimm] - doc: correct grammar and improve clarity in merging documentation. [David Tagatac] - doc: Add missing doc link to snap-config module. [Ryan Harper] - snap: allows for creating cloud-init snap [Joshua Powers] - DigitalOcean: assign IPv4ll address to lowest indexed interface. [Ben Howard] (LP: #1676908) - DigitalOcean: configure all NICs presented in meta-data. [Ben Howard] (LP: #1676908) - Remove (and/or fix) URL shortener references [Jon Grimm] - HACKING.rst: more info on filling out contributors agreement. - util: teach write_file about copy_mode option [Lars Kellogg-Stedman] (LP: #1644064) - DigitalOcean: bind resolvers to loopback interface. [Ben Howard] (LP: #1676908) - tests: fix AltCloud tests to not rely on blkid (LP: #1636531) -- Scott MoserThu, 27 Apr 2017 12:51:04 -0400 ** Changed in: cloud-init (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1644064 Title: sshd_config file permission changed to 644 if ssh_pwauth value is true or false Status in cloud-init: Fix Committed Status in cloud-init package in Ubuntu: Fix Released Status in cloud-init source package in Xenial: Fix Released Status in cloud-init source package in Yakkety: Fix Committed Status in cloud-init source package in Zesty: Fix Committed Status in cloud-init source package in Artful: Fix Released Bug description: === Begin SRU Template === [Impact] Existing security permissions on /etc/ssh/sshd_config file are not honored. [Test Case] wget https://git.launchpad.net/~smoser/cloud-init/+git/sru-info/plain/bin/lxc-proposed-snapshot chmod 755 lxc-proposed-snapshot # create config.yaml cat config.yaml #cloud-config ssh_pwauth: true name=proposed-test for release in xenial yakkety zesty; do \ ref=$release-proposed; lxc-proposed-snapshot --proposed --publish $release $ref; lxc init $ref $name; lxc file pull $name/etc/ssh/sshd_config .; chmod 600 sshd_config; lxc file push sshd_config $name/etc/ssh/sshd_config; lxc config set $name user.user-data - < config.yml; lxc start; sleep 10; lxc exec $name ls -ltr /etc/ssh/sshd_config; # should remain 600 lxc stop $name; lxc delete $name; done [Regression Potential] Minimal as we are now honoring file permissions if an sshd_config file exists. [Other Info] === End SRU Template === In my deploy image, the default permission of sshd_config file is 600. It always be changed to 644 after cloud-init run. After debug, it is caused by cloud-config item: ssh_pwauth: true The related code is: lines = [str(l) for l in new_lines] util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines)) of file cc_set_passwords.py. write_file function use default mask 644 to write sshd_config. So my file permission changed. It shall be enhanced to read old sshd_config permission and write new sshd_config with old permission to avoid security issue. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1644064/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1644064] Re: sshd_config file permission changed to 644 if ssh_pwauth value is true or false
** Also affects: cloud-init (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: cloud-init (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: cloud-init (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: cloud-init (Ubuntu Xenial) Status: New => Confirmed ** Changed in: cloud-init (Ubuntu Yakkety) Status: New => Confirmed ** Changed in: cloud-init (Ubuntu Zesty) Status: New => Confirmed ** Changed in: cloud-init (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: cloud-init (Ubuntu Yakkety) Importance: Undecided => Medium ** Changed in: cloud-init (Ubuntu Zesty) Importance: Undecided => Medium ** Changed in: cloud-init (Ubuntu Artful) Importance: Undecided => Medium -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1644064 Title: sshd_config file permission changed to 644 if ssh_pwauth value is true or false Status in cloud-init: Fix Committed Status in cloud-init package in Ubuntu: Fix Released Status in cloud-init source package in Xenial: Confirmed Status in cloud-init source package in Yakkety: Confirmed Status in cloud-init source package in Zesty: Confirmed Status in cloud-init source package in Artful: Fix Released Bug description: === Begin SRU Template === [Impact] Existing security permissions on /etc/ssh/sshd_config file are not honored. [Test Case] wget https://git.launchpad.net/~smoser/cloud-init/+git/sru-info/plain/bin/lxc-proposed-snapshot chmod 755 lxc-proposed-snapshot # create config.yaml cat config.yaml #cloud-config ssh_pwauth: true name=proposed-test for release in xenial yakkety zesty; do \ ref=$release-proposed; lxc-proposed-snapshot --proposed --publish $release $ref; lxc init $ref $name; lxc start $name; sleep 10; lxc file pull $name/etc/ssh/sshd_config .; chmod 600 sshd_config; lxc file push sshd_config $name/etc/ssh/sshd_config; lxc config set $name user.user-data - < config.yml; lxc start; sleep 10; lxc exec $name ls -ltr /etc/ssh/sshd_config; # should remain 600 lxc stop $name; lxc delete $name; done [Regression Potential] Minimal as we are now honoring file permissions if an sshd_config file exists. [Other Info] === End SRU Template === In my deploy image, the default permission of sshd_config file is 600. It always be changed to 644 after cloud-init run. After debug, it is caused by cloud-config item: ssh_pwauth: true The related code is: lines = [str(l) for l in new_lines] util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines)) of file cc_set_passwords.py. write_file function use default mask 644 to write sshd_config. So my file permission changed. It shall be enhanced to read old sshd_config permission and write new sshd_config with old permission to avoid security issue. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1644064/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp