This bug was fixed in the package cloud-init -
0.7.9-113-g513e99e0-0ubuntu1~17.04.1
---------------
cloud-init (0.7.9-113-g513e99e0-0ubuntu1~17.04.1) zesty; urgency=medium
* debian/update-grub-legacy-ec2: fix early exit failure no /etc/fstab
file. (LP: #1682160)
* New upstream snapshot.
- nova-lxd: read product_name from environment, not platform.
(LP: #1685810)
- Fix yum repo config where keys contain array values [Dylan Perry]
- template: Update debian backports template [Joshua Powers]
- rsyslog: replace ~ with stop [Joshua Powers] (LP: #1367899)
- Doc: add additional RTD examples [Joshua Powers]
- Fix growpart for some cases when booted with root=PARTUUID.
(LP: #1684869)
- pylint: update output style to parseable [Joshua Powers]
- pylint: fix all logging warnings [Joshua Powers]
- CloudStack: Add NetworkManager to list of supported DHCP lease dirs.
[Syed Mushtaq Ahmed]
- net: kernel lies about vlans not stealing mac addresses, when they do
[Dimitri John Ledkov] (LP: #1682871)
- ds-identify: Check correct path for "latest" config drive
[Daniel Watkins] (LP: #1673637)
- doc: Fix example for resolv.conf configuration. [Jon Grimm]
- Fix examples that reference upstream chef repository. [Jon Grimm]
- doc: correct grammar and improve clarity in merging documentation.
[David Tagatac]
- doc: Add missing doc link to snap-config module. [Ryan Harper]
- snap: allows for creating cloud-init snap [Joshua Powers]
- DigitalOcean: assign IPv4ll address to lowest indexed interface.
[Ben Howard] (LP: #1676908)
- DigitalOcean: configure all NICs presented in meta-data.
[Ben Howard] (LP: #1676908)
- Remove (and/or fix) URL shortener references [Jon Grimm]
- HACKING.rst: more info on filling out contributors agreement.
- util: teach write_file about copy_mode option
[Lars Kellogg-Stedman] (LP: #1644064)
- DigitalOcean: bind resolvers to loopback interface.
[Ben Howard] (LP: #1676908)
- tests: fix AltCloud tests to not rely on blkid (LP: #1636531)
-- Scott Moser <smo...@ubuntu.com> Thu, 27 Apr 2017 15:09:31 -0400
** Changed in: cloud-init (Ubuntu Zesty)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1644064
Title:
sshd_config file permission changed to 644 if ssh_pwauth value is true
or false
Status in cloud-init:
Fix Committed
Status in cloud-init package in Ubuntu:
Fix Released
Status in cloud-init source package in Xenial:
Fix Released
Status in cloud-init source package in Yakkety:
Fix Released
Status in cloud-init source package in Zesty:
Fix Released
Status in cloud-init source package in Artful:
Fix Released
Bug description:
=== Begin SRU Template ===
[Impact]
Existing security permissions on /etc/ssh/sshd_config file are not honored.
[Test Case]
wget
https://git.launchpad.net/~smoser/cloud-init/+git/sru-info/plain/bin/lxc-proposed-snapshot
chmod 755 lxc-proposed-snapshot
# create config.yaml
cat config.yaml
#cloud-config
ssh_pwauth: true
name=proposed-test
for release in xenial yakkety zesty; do \
ref=$release-proposed;
lxc-proposed-snapshot --proposed --publish $release $ref;
lxc init $ref $name;
lxc file pull $name/etc/ssh/sshd_config .;
chmod 600 sshd_config;
lxc file push sshd_config $name/etc/ssh/sshd_config;
lxc config set $name user.user-data - < config.yml;
lxc start;
sleep 10;
lxc exec $name ls -ltr /etc/ssh/sshd_config; # should remain 600
lxc stop $name;
lxc delete $name;
done
[Regression Potential]
Minimal as we are now honoring file permissions if an sshd_config file exists.
[Other Info]
=== End SRU Template ===
In my deploy image, the default permission of sshd_config file is 600.
It always be changed to 644 after cloud-init run. After debug, it is
caused by cloud-config item:
ssh_pwauth: true
The related code is:
lines = [str(l) for l in new_lines]
util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines))
of file cc_set_passwords.py.
write_file function use default mask 644 to write sshd_config. So my
file permission changed.
It shall be enhanced to read old sshd_config permission and write new
sshd_config with old permission to avoid security issue.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1644064/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
