summaryrefslogtreecommitdiff
path: root/cloudinit/util.py
diff options
context:
space:
mode:
authorEmanuele Giuseppe Esposito <eesposit@redhat.com>2021-10-19 21:32:10 +0200
committerGitHub <noreply@github.com>2021-10-19 14:32:10 -0500
commitee296ced9c0a61b1484d850b807c601bcd670ec1 (patch)
tree211f359af3c202f3eb28628dcfa8aa5842e4ae8c /cloudinit/util.py
parenta0a68a24c34ee268962e7a3c3844c59ab4036bf9 (diff)
downloadvyos-cloud-init-ee296ced9c0a61b1484d850b807c601bcd670ec1.tar.gz
vyos-cloud-init-ee296ced9c0a61b1484d850b807c601bcd670ec1.zip
cc_ssh.py: fix private key group owner and permissions (#1070)
When default host keys are created by sshd-keygen (/etc/ssh/ssh_host_*_key) in RHEL/CentOS/Fedora, openssh it performs the following: # create new keys if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then exit 1 fi # sanitize permissions /usr/bin/chgrp ssh_keys $KEY /usr/bin/chmod 640 $KEY /usr/bin/chmod 644 $KEY.pub Note that the group ssh_keys exists only in RHEL/CentOS/Fedora. Now that we disable sshd-keygen to allow only cloud-init to create them, we miss the "sanitize permissions" part, where we set the group owner as ssh_keys and the private key mode to 640. According to https://bugzilla.redhat.com/show_bug.cgi?id=2013644#c8, failing to set group ownership and permissions like openssh does makes the RHEL openscap tool generate an error. Signed-off-by: Emanuele Giuseppe Esposito eesposit@redhat.com RHBZ: 2013644
Diffstat (limited to 'cloudinit/util.py')
-rw-r--r--cloudinit/util.py14
1 files changed, 14 insertions, 0 deletions
diff --git a/cloudinit/util.py b/cloudinit/util.py
index 1b4384e1..575a1fef 100644
--- a/cloudinit/util.py
+++ b/cloudinit/util.py
@@ -1880,6 +1880,20 @@ def chmod(path, mode):
os.chmod(path, real_mode)
+def get_group_id(grp_name: str) -> int:
+ """
+ Returns the group id of a group name, or -1 if no group exists
+
+ @param grp_name: the name of the group
+ """
+ gid = -1
+ try:
+ gid = grp.getgrnam(grp_name).gr_gid
+ except KeyError:
+ LOG.debug("Group %s is not a valid group name", grp_name)
+ return gid
+
+
def get_permissions(path: str) -> int:
"""
Returns the octal permissions of the file/folder pointed by the path,