Verified xenial keeps sshd_config perms: $ name=test-proposed $ release=xenial $ ref=$release-proposed $ ./lxc-proposed-snapshot --proposed --publish $release $ref $ lxc init $ref $name $ lxc init $ref $name Creating test-proposed $ lxc file pull $name/etc/ssh/sshd_config . $ ls -ltr sshd_config -rw-r--r-- 1 csmith csmith 2540 May 11 14:54 sshd_config $ chmod 600 sshd_config $ ls -ltr sshd_config -rw------- 1 csmith csmith 2540 May 11 14:54 sshd_config $ lxc file push sshd_config $name/etc/ssh/sshd_config; $ cat config.yml #cloud-config ssh_pwauth: true $ lxc config set $name user.user-data - < config.yml; $ lxc start $name $ sleep 10 $ lxc exec $name -- ls -ltr /etc/ssh/sshd_config -rw------- 1 ubuntu ubuntu 2540 May 11 20:55 /etc/ssh/sshd_config $ lxc exec $name -- dpkg -l cloud-init ... ii cloud-init 0.7.9-113-g5 all Init scripts for cloud instances
** Description changed: === Begin SRU Template === [Impact] Existing security permissions on /etc/ssh/sshd_config file are not honored. [Test Case] wget https://git.launchpad.net/~smoser/cloud-init/+git/sru-info/plain/bin/lxc-proposed-snapshot chmod 755 lxc-proposed-snapshot - # create config.yaml cat config.yaml #cloud-config ssh_pwauth: true name=proposed-test for release in xenial yakkety zesty; do \ - ref=$release-proposed; - lxc-proposed-snapshot --proposed --publish $release $ref; - lxc init $ref $name; - lxc start $name; - sleep 10; - lxc file pull $name/etc/ssh/sshd_config .; - chmod 600 sshd_config; - lxc file push sshd_config $name/etc/ssh/sshd_config; - lxc config set $name user.user-data - < config.yml; - lxc start; - sleep 10; - lxc exec $name ls -ltr /etc/ssh/sshd_config; # should remain 600 - lxc stop $name; - lxc delete $name; + ref=$release-proposed; + lxc-proposed-snapshot --proposed --publish $release $ref; + lxc init $ref $name; + lxc file pull $name/etc/ssh/sshd_config .; + chmod 600 sshd_config; + lxc file push sshd_config $name/etc/ssh/sshd_config; + lxc config set $name user.user-data - < config.yml; + lxc start; + sleep 10; + lxc exec $name ls -ltr /etc/ssh/sshd_config; # should remain 600 + lxc stop $name; + lxc delete $name; done [Regression Potential] Minimal as we are now honoring file permissions if an sshd_config file exists. [Other Info] === End SRU Template === - - In my deploy image, the default permission of sshd_config file is 600. It always be changed to 644 after cloud-init run. After debug, it is caused by cloud-config item: + In my deploy image, the default permission of sshd_config file is 600. + It always be changed to 644 after cloud-init run. After debug, it is + caused by cloud-config item: ssh_pwauth: true The related code is: lines = [str(l) for l in new_lines] util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines)) of file cc_set_passwords.py. write_file function use default mask 644 to write sshd_config. So my file permission changed. It shall be enhanced to read old sshd_config permission and write new sshd_config with old permission to avoid security issue. ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1644064 Title: sshd_config file permission changed to 644 if ssh_pwauth value is true or false To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1644064/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
