diff options
| -rwxr-xr-x | cloudinit/config/cc_ssh.py | 7 | ||||
| -rw-r--r-- | cloudinit/util.py | 14 |
2 files changed, 21 insertions, 0 deletions
diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py index 43f64290..ff9e9753 100755 --- a/cloudinit/config/cc_ssh.py +++ b/cloudinit/config/cc_ssh.py @@ -240,6 +240,13 @@ def handle(_name, cfg, cloud, log, _args): try: out, err = subp.subp(cmd, capture=True, env=lang_c) sys.stdout.write(util.decode_binary(out)) + + gid = util.get_group_id("ssh_keys") + if gid != -1: + # perform same "sanitize permissions" as sshd-keygen + os.chown(keyfile, -1, gid) + os.chmod(keyfile, 0o640) + os.chmod(keyfile + ".pub", 0o644) except subp.ProcessExecutionError as e: err = util.decode_binary(e.stderr).lower() if (e.exit_code == 1 and diff --git a/cloudinit/util.py b/cloudinit/util.py index 1b4384e1..575a1fef 100644 --- a/cloudinit/util.py +++ b/cloudinit/util.py @@ -1880,6 +1880,20 @@ def chmod(path, mode): os.chmod(path, real_mode) +def get_group_id(grp_name: str) -> int: + """ + Returns the group id of a group name, or -1 if no group exists + + @param grp_name: the name of the group + """ + gid = -1 + try: + gid = grp.getgrnam(grp_name).gr_gid + except KeyError: + LOG.debug("Group %s is not a valid group name", grp_name) + return gid + + def get_permissions(path: str) -> int: """ Returns the octal permissions of the file/folder pointed by the path, |