From ee296ced9c0a61b1484d850b807c601bcd670ec1 Mon Sep 17 00:00:00 2001 From: Emanuele Giuseppe Esposito Date: Tue, 19 Oct 2021 21:32:10 +0200 Subject: cc_ssh.py: fix private key group owner and permissions (#1070) When default host keys are created by sshd-keygen (/etc/ssh/ssh_host_*_key) in RHEL/CentOS/Fedora, openssh it performs the following: # create new keys if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then exit 1 fi # sanitize permissions /usr/bin/chgrp ssh_keys $KEY /usr/bin/chmod 640 $KEY /usr/bin/chmod 644 $KEY.pub Note that the group ssh_keys exists only in RHEL/CentOS/Fedora. Now that we disable sshd-keygen to allow only cloud-init to create them, we miss the "sanitize permissions" part, where we set the group owner as ssh_keys and the private key mode to 640. According to https://bugzilla.redhat.com/show_bug.cgi?id=2013644#c8, failing to set group ownership and permissions like openssh does makes the RHEL openscap tool generate an error. Signed-off-by: Emanuele Giuseppe Esposito eesposit@redhat.com RHBZ: 2013644 --- cloudinit/util.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'cloudinit/util.py') diff --git a/cloudinit/util.py b/cloudinit/util.py index 1b4384e1..575a1fef 100644 --- a/cloudinit/util.py +++ b/cloudinit/util.py @@ -1880,6 +1880,20 @@ def chmod(path, mode): os.chmod(path, real_mode) +def get_group_id(grp_name: str) -> int: + """ + Returns the group id of a group name, or -1 if no group exists + + @param grp_name: the name of the group + """ + gid = -1 + try: + gid = grp.getgrnam(grp_name).gr_gid + except KeyError: + LOG.debug("Group %s is not a valid group name", grp_name) + return gid + + def get_permissions(path: str) -> int: """ Returns the octal permissions of the file/folder pointed by the path, -- cgit v1.2.3