diff options
author | Emanuele Giuseppe Esposito <eesposit@redhat.com> | 2021-10-19 21:32:10 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-10-19 14:32:10 -0500 |
commit | ee296ced9c0a61b1484d850b807c601bcd670ec1 (patch) | |
tree | 211f359af3c202f3eb28628dcfa8aa5842e4ae8c /cloudinit/util.py | |
parent | a0a68a24c34ee268962e7a3c3844c59ab4036bf9 (diff) | |
download | vyos-cloud-init-ee296ced9c0a61b1484d850b807c601bcd670ec1.tar.gz vyos-cloud-init-ee296ced9c0a61b1484d850b807c601bcd670ec1.zip |
cc_ssh.py: fix private key group owner and permissions (#1070)
When default host keys are created by sshd-keygen (/etc/ssh/ssh_host_*_key)
in RHEL/CentOS/Fedora, openssh it performs the following:
# create new keys
if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
exit 1
fi
# sanitize permissions
/usr/bin/chgrp ssh_keys $KEY
/usr/bin/chmod 640 $KEY
/usr/bin/chmod 644 $KEY.pub
Note that the group ssh_keys exists only in RHEL/CentOS/Fedora.
Now that we disable sshd-keygen to allow only cloud-init to create
them, we miss the "sanitize permissions" part, where we set the group
owner as ssh_keys and the private key mode to 640.
According to https://bugzilla.redhat.com/show_bug.cgi?id=2013644#c8, failing
to set group ownership and permissions like openssh does makes the RHEL openscap
tool generate an error.
Signed-off-by: Emanuele Giuseppe Esposito eesposit@redhat.com
RHBZ: 2013644
Diffstat (limited to 'cloudinit/util.py')
-rw-r--r-- | cloudinit/util.py | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/cloudinit/util.py b/cloudinit/util.py index 1b4384e1..575a1fef 100644 --- a/cloudinit/util.py +++ b/cloudinit/util.py @@ -1880,6 +1880,20 @@ def chmod(path, mode): os.chmod(path, real_mode) +def get_group_id(grp_name: str) -> int: + """ + Returns the group id of a group name, or -1 if no group exists + + @param grp_name: the name of the group + """ + gid = -1 + try: + gid = grp.getgrnam(grp_name).gr_gid + except KeyError: + LOG.debug("Group %s is not a valid group name", grp_name) + return gid + + def get_permissions(path: str) -> int: """ Returns the octal permissions of the file/folder pointed by the path, |