Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Root directory permissions too permissive on network boot image #1812

Closed
travisgroth opened this issue Feb 16, 2017 · 2 comments
Closed

Root directory permissions too permissive on network boot image #1812

travisgroth opened this issue Feb 16, 2017 · 2 comments

Comments

@travisgroth
Copy link

@travisgroth travisgroth commented Feb 16, 2017

Issue Report

Bug

Container Linux Version

NAME="Container Linux by CoreOS"
ID=coreos
VERSION=1313.0.0
VERSION_ID=1313.0.0
BUILD_ID=2017-02-03-0826
PRETTY_NAME="Container Linux by CoreOS 1313.0.0 (Ladybug)"
ANSI_COLOR="38;5;75"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://github.com/coreos/bugs/issues"

Environment

Any pxe/network boot environment (vmware, metal, etc).

Expected Behavior

Root file system top level directory should be 755.

Actual Behavior

Root filesystems permissions are tmpfs default (open with +t) on the network boot image:

coreos0 pam.d # ls -la /
total 0
drwxrwxrwt.  16 root root  400 Feb 16 05:00 .

This is (a) a potential security issue, even on ephemeral images and (b) causes sshd to abort running /usr/bin/sss_ssh_authorizedkeys due to the permissions:

debug3: subprocess: AuthorizedKeysCommand command "/usr/bin/sss_ssh_authorizedkeys tgroth" running as root
debug1: temporarily_use_uid: 0/0 (e=0/0)
Unsafe AuthorizedKeysCommand "/usr/bin/sss_ssh_authorizedkeys": bad ownership or modes for directory /

Reproduction Steps

  1. Configure sshd to look up authorized keys from sssd
  2. Observe debug information from sshd

Other Information

Doing a simple

chmod 755 / 

fixes sshd. When creating the tmpfs mount I believe you can specify the top level permissions with the mode flag (eg mode=755)

@bgilbert
Copy link
Member

@bgilbert bgilbert commented Feb 17, 2017

This should be fixed in the next alpha. Thanks for reporting.

@bgilbert bgilbert closed this Feb 17, 2017
@travisgroth
Copy link
Author

@travisgroth travisgroth commented Feb 17, 2017

@bgilbert no problem. Thanks for getting it resolved so quickly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.