** Description changed: - In my deploy image, the default permission of sshd_config file is 600. - It always be changed to 644 after cloud-init run. After debug, it is - caused by cloud-config item: + === Begin SRU Template === + [Impact] + Existing security permissions on /etc/ssh/sshd_config file are not honored. + + [Test Case] + + wget https://git.launchpad.net/~smoser/cloud-init/+git/sru-info/plain/bin/lxc-proposed-snapshot + chmod 755 lxc-proposed-snapshot + + + # create config.yaml + cat config.yaml + #cloud-config + ssh_pwauth: true + + name=proposed-test + for release in xenial yakkety zesty; do \ + ref=$release-proposed; + lxc-proposed-snapshot --proposed --publish $release $ref; + lxc init $ref $name; + lxc start $name; + sleep 10; + lxc file pull $name/etc/ssh/sshd_config .; + chmod 600 sshd_config; + lxc file push sshd_config $name/etc/ssh/sshd_config; + lxc config set $name user.user-data - < config.yml; + lxc start; + sleep 10; + lxc exec $name ls -ltr /etc/ssh/sshd_config; # should remain 600 + lxc stop $name; + lxc delete $name; + done + + [Regression Potential] + Minimal as we are now honoring file permissions if an sshd_config file exists. + + [Other Info] + + === End SRU Template === + + + In my deploy image, the default permission of sshd_config file is 600. It always be changed to 644 after cloud-init run. After debug, it is caused by cloud-config item: ssh_pwauth: true The related code is: - lines = [str(l) for l in new_lines] - util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines)) + lines = [str(l) for l in new_lines] + util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines)) of file cc_set_passwords.py. write_file function use default mask 644 to write sshd_config. So my file permission changed. It shall be enhanced to read old sshd_config permission and write new sshd_config with old permission to avoid security issue.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1644064 Title: sshd_config file permission changed to 644 if ssh_pwauth value is true or false To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1644064/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
