** Also affects: cloud-init (Ubuntu Zesty) Importance: Undecided Status: New
** Also affects: cloud-init (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: cloud-init (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: cloud-init (Ubuntu Xenial) Status: New => Confirmed ** Changed in: cloud-init (Ubuntu Yakkety) Status: New => Confirmed ** Changed in: cloud-init (Ubuntu Zesty) Status: New => Confirmed ** Changed in: cloud-init (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: cloud-init (Ubuntu Yakkety) Importance: Undecided => Medium ** Changed in: cloud-init (Ubuntu Zesty) Importance: Undecided => Medium ** Changed in: cloud-init (Ubuntu Artful) Importance: Undecided => Medium -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to cloud-init. https://bugs.launchpad.net/bugs/1644064 Title: sshd_config file permission changed to 644 if ssh_pwauth value is true or false Status in cloud-init: Fix Committed Status in cloud-init package in Ubuntu: Fix Released Status in cloud-init source package in Xenial: Confirmed Status in cloud-init source package in Yakkety: Confirmed Status in cloud-init source package in Zesty: Confirmed Status in cloud-init source package in Artful: Fix Released Bug description: === Begin SRU Template === [Impact] Existing security permissions on /etc/ssh/sshd_config file are not honored. [Test Case] wget https://git.launchpad.net/~smoser/cloud-init/+git/sru-info/plain/bin/lxc-proposed-snapshot chmod 755 lxc-proposed-snapshot # create config.yaml cat config.yaml #cloud-config ssh_pwauth: true name=proposed-test for release in xenial yakkety zesty; do \ ref=$release-proposed; lxc-proposed-snapshot --proposed --publish $release $ref; lxc init $ref $name; lxc start $name; sleep 10; lxc file pull $name/etc/ssh/sshd_config .; chmod 600 sshd_config; lxc file push sshd_config $name/etc/ssh/sshd_config; lxc config set $name user.user-data - < config.yml; lxc start; sleep 10; lxc exec $name ls -ltr /etc/ssh/sshd_config; # should remain 600 lxc stop $name; lxc delete $name; done [Regression Potential] Minimal as we are now honoring file permissions if an sshd_config file exists. [Other Info] === End SRU Template === In my deploy image, the default permission of sshd_config file is 600. It always be changed to 644 after cloud-init run. After debug, it is caused by cloud-config item: ssh_pwauth: true The related code is: lines = [str(l) for l in new_lines] util.write_file(ssh_util.DEF_SSHD_CFG, "\n".join(lines)) of file cc_set_passwords.py. write_file function use default mask 644 to write sshd_config. So my file permission changed. It shall be enhanced to read old sshd_config permission and write new sshd_config with old permission to avoid security issue. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1644064/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp