New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssh_util: Handle sshd_config.d folder #1618
Conversation
7d45889
to
31b38c6
Compare
FYI, @toabctl, here is the |
There is another reference to I guess that tool is a development tool and in order to minimize the SRU patch, we can defer its fix to a follow-up PR. Is that right? @blackboxsw, @holmanb, @TheRealFalcon. |
After a team discussion, we decided to not extend What we want to extend is the post-remove deb hook during purge to clean-up |
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks really good @aciba90 thank you much for putting this together.
Minor comments on:
- file permissions on the config parts file
- using prefix 50-cloud-init.conf
- integration tests for the file emitted
otherwise +1.
- Extend integration tests - Use 50-cloud-init.conf as sshd config file - with 0o600 permissions
Addressed. Thanks, @blackboxsw, for the review and constructive comments. This is ready to be reviewed. |
FYI: @stevebeattie & @setharnold for general awareness of security-related behavior changes in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks for the permissions fixes @aciba90. I'm good to land this EOD today.
The idea is to not modify In respect to |
Okay, cool, so it's impossible for untrusted code to ever call Thanks |
Well, we would have to define what is untrusted code to answer that. What is clear is that this PR does not introduce new attack vectors, as the function already accepted |
I think the answer to this is technically "no it is not impossible". A (root) user could technically write a 3rd party module (not trusted, by some definitions) that uses this function, insert the module into a root-only writable directory on the fs where config modules live, configure cloud-init to load this module (in their root-only writable cloud.cfg), and cloud-init would would technically run untrusted code that calls However this isn't an escalation issue because every step of that has Posix permissions preventing a non-root user from doing it. So I agree with what @aciba90 said: it depends on how you define untrusted. And I don't think this change poses a problem, because in the default case the code executing this is trusted. |
I think I was thinking more along the lines of an ISP-supplied "easy deployment" sort of web interface that might take a "machine name" or "service name" sort of field and use it in surprising ways. If you're content then I'm content :D Thanks! |
re: /etc/ssh/sshd_config.d/50-cloud-init.conf generated by cloud-init I see it is removed using packages/debian/cloud-init.postrm . Since the package manager does not install the conf, could we not have cleaned it up as a part of "cloud-init clean" operation? |
The reason I ask is that for centos/rhel, if we took similar approach, we would have to remove it from the rpm spec file. Instead we could have a common place to remove such conf files, @blackboxsw |
For example, we could we not remove it as a part of |
Thanks, @ani-sinha, for making cloud-init better. I think it is reasonable to expect Another instance of this problem with a different file: #3240 |
I have some reservations about this after thinking. When |
Per cli.html#clean and #3240 (comment), I understand that files that are dynamically created by cloud-init at runtime are okay to be removed by But if you think this in not required, then do not create the issue, thanks. |
Right now the clean command only cleans artefacts from ’/var/lib/cloud’ and the cli documentation also says so. Adding config files to it would be something new and I am not sure if it's safe. If we do this the cli documentation also needs updating. Hence I need inputs from cloud-init maintainers . I would be happy to send a PR if it seems ok to do it . |
By safe, do you mean software security?
Yes, the documentation should be updated in that case. Something like:
|
No what I mean is that there might be some inconsistency if ‘cloud-init init‘ doesn't recreate all the config files that were present before cleaning. The inconsistency might break cloud-init functionality. |
@blackboxsw what do you think? |
cloud-init generates several config files today that are not cleaned as a part of `cloud-init clean` operation. For example, cloud-init uses /etc/ssh/sshd_config.d/50-cloud-init.conf to configure ssh daemon which is then left uncleaned. This change adds a new option `cloud-init clean --config` that would clean up these config files as well. Additionally, the cli documentation has also been updated to document this new option. Reference: canonical#1618 Fixes: canonicalGH-3240 Signed-off-by: Ani Sinha <anisinha@redhat.com>
cloud-init generates several config files today that are not cleaned as a part of `cloud-init clean` operation. For example, cloud-init uses `/etc/ssh/sshd_config.d/50-cloud-init.conf` to configure ssh daemon which is then left uncleaned. This change adds a new option `cloud-init clean --config` that would clean up these config files as well. Additionally, the cli documentation has also been updated to document this new option. Reference: canonical#1618 Fixes: canonicalGH-3240 Signed-off-by: Ani Sinha <anisinha@redhat.com>
cloud-init generates several config files today that are not cleaned as a part of `cloud-init clean` operation. For example, cloud-init uses `/etc/ssh/sshd_config.d/50-cloud-init.conf` to configure ssh daemon which is then left uncleaned. This change adds a new option `cloud-init clean --configs` that would clean up these config files as well. Additionally, the cli documentation has also been updated to document this new option. Reference: canonical#1618 Fixes: canonicalGH-3240 Signed-off-by: Ani Sinha <anisinha@redhat.com>
cloud-init generates several config files today that are not cleaned as a part of `cloud-init clean` operation. For example, cloud-init uses `/etc/ssh/sshd_config.d/50-cloud-init.conf` to configure ssh daemon which is then left uncleaned. This change adds a new option `cloud-init clean --configs` that would clean up these config files as well. Additionally, the cli documentation has also been updated to document this new option. Reference: canonical#1618 Fixes: canonicalGH-3240 Signed-off-by: Ani Sinha <anisinha@redhat.com>
@ani-sinha thanks for the ping on this issue. I think the functionality of cloud-init clean is to provide a best effort to "reset" cloud-init to initial state so that cloud-init treats next boot of that image as a first initialization or "greenfield" boot. While the clean subcommand doesn't currently make an effort to remove any configuration artifacts produced by the previous run (such as user creation, ssh keys, ssh config, files written by write_files) I could see us trying to grow that optional functionality. |
OK I have added a new option under |
cloud-init generates several config files today that are not cleaned as a part of `cloud-init clean` operation. For example, cloud-init uses `/etc/ssh/sshd_config.d/50-cloud-init.conf` to configure ssh daemon which is then left uncleaned. This change adds a new option `cloud-init clean --configs` that would clean up these config files as well. This new option provides two choices - `ssh_config` and `network` that defines the scope of the config files that would be cleaned - ssh configs or network configs. Additionally, the cli documentation has also been updated to document this new option. Reference: canonical#1618 Fixes: canonicalGH-3240 Signed-off-by: Ani Sinha <anisinha@redhat.com>
cloud-init generates several config files today that are not cleaned as a part of `cloud-init clean` operation. For example, cloud-init uses `/etc/ssh/sshd_config.d/50-cloud-init.conf` to configure ssh daemon which is then left uncleaned. This change adds a new option `cloud-init clean --configs` that would clean up these config files as well. This new option provides two choices - `ssh_config` and `network` that defines the scope of the config files that would be cleaned - ssh configs or network configs. They can be extended further to include other types of config files as well in the future. Additionally, the cli documentation has also been updated to document this new option. Reference: canonical#1618 Fixes: canonicalGH-3240 Signed-off-by: Ani Sinha <anisinha@redhat.com>
cloud-init generates several config files today that are not cleaned as a part of `cloud-init clean` operation. For example, cloud-init uses `/etc/ssh/sshd_config.d/50-cloud-init.conf` to configure ssh daemon which is then left uncleaned. This change adds a new option `cloud-init clean --configs` that would clean up these config files as well. This new option provides three choices - `all`, `ssh_config` and `network` that defines the scope of the config files that would be cleaned - ssh configs or network configs or all configs. They can be extended further to include other types of config files as well in the future. Additionally, the cli documentation has also been updated to document this new option. Reference: canonical#1618 Fixes: canonicalGH-3240 Signed-off-by: Ani Sinha <anisinha@redhat.com> Co-authored-by: Chad Smith <chad.smith@canonical.com>
cloud-init generates several config files today that are not cleaned as a part of `cloud-init clean` operation. For example, cloud-init uses `/etc/ssh/sshd_config.d/50-cloud-init.conf` to configure ssh daemon which is then left uncleaned. This change adds a new option `cloud-init clean --configs` that would clean up these config files as well. This new option provides three choices - `all`, `ssh_config` and `network` that defines the scope of the config files that would be cleaned - ssh configs or network configs or all configs. They can be extended further to include other types of config files as well in the future. Additionally, the cli documentation has also been updated to document this new option. Reference: canonical#1618 Fixes: canonicalGH-3240 Signed-off-by: Ani Sinha <anisinha@redhat.com> Co-authored-by: Chad Smith <chad.smith@canonical.com>
cloud-init generates several config files today that are not cleaned as a part of `cloud-init clean` operation. For example, cloud-init uses `/etc/ssh/sshd_config.d/50-cloud-init.conf` to configure ssh daemon which is then left uncleaned. This change adds a new option `cloud-init clean --configs` that would clean up these config files as well. This new option provides three choices - `all`, `ssh_config` and `network` that defines the scope of the config files that would be cleaned - ssh configs or network configs or all configs. They can be extended further to include other types of config files as well in the future. The cli documentation has also been updated to document this new option. Additionally, this patch adds a new integration test for the `clean` command. Reference: canonical#1618 Fixes: canonicalGH-3240 Signed-off-by: Ani Sinha <anisinha@redhat.com> Co-authored-by: Chad Smith <chad.smith@canonical.com>
cloud-init generates several config files today that are not cleaned as a part of `cloud-init clean` operation. For example, cloud-init uses `/etc/ssh/sshd_config.d/50-cloud-init.conf` to configure ssh daemon which is then left uncleaned. This change adds a new option `cloud-init clean --configs` that would clean up these config files as well. This new option provides three choices - `all`, `ssh_config` and `network` that defines the scope of the config files that would be cleaned - ssh configs or network configs or all configs. They can be extended further to include other types of config files as well in the future. The cli documentation has also been updated to document this new option. Additionally, this patch adds a new integration test for the `clean` command. Reference: canonical#1618 Fixes: canonicalGH-3240 Signed-off-by: Ani Sinha <anisinha@redhat.com> Co-authored-by: Chad Smith <chad.smith@canonical.com>
cloud-init generates several config files today that are not cleaned as a part of `cloud-init clean` operation. For example, cloud-init uses `/etc/ssh/sshd_config.d/50-cloud-init.conf` to configure ssh daemon which is then left uncleaned. This change adds a new option `cloud-init clean --configs` that would clean up these config files as well. This new option provides three choices - `all`, `ssh_config` and `network` that defines the scope of the config files that would be cleaned - ssh configs or network configs or all configs. They can be extended further to include other types of config files as well in the future. The cli documentation has also been updated to document this new option. Additionally, this patch adds a new integration test for the `clean` command. Reference: #1618 Fixes GH-3240 Signed-off-by: Ani Sinha <anisinha@redhat.com> Co-authored-by: Chad Smith <chad.smith@canonical.com>
Proposed Commit Message
Additional Context
SC-1172
LP: #1968873
In order to ease upgrading
openssh-server
, write out sshd_configinto a separated
cloud-init
conf file with high priority under/etc/ssh/sshd_config.d/00-cloud-init.conf
.This fixes #1968873 in
main
and will be SRUed tofocal
,impish
and
focal
.Test Steps
Checklist: