Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Root directory permissions too permissive on network boot image #1812

travisgroth opened this issue Feb 16, 2017 · 2 comments

Root directory permissions too permissive on network boot image #1812

travisgroth opened this issue Feb 16, 2017 · 2 comments


Copy link

@travisgroth travisgroth commented Feb 16, 2017

Issue Report


Container Linux Version

NAME="Container Linux by CoreOS"
PRETTY_NAME="Container Linux by CoreOS 1313.0.0 (Ladybug)"


Any pxe/network boot environment (vmware, metal, etc).

Expected Behavior

Root file system top level directory should be 755.

Actual Behavior

Root filesystems permissions are tmpfs default (open with +t) on the network boot image:

coreos0 pam.d # ls -la /
total 0
drwxrwxrwt.  16 root root  400 Feb 16 05:00 .

This is (a) a potential security issue, even on ephemeral images and (b) causes sshd to abort running /usr/bin/sss_ssh_authorizedkeys due to the permissions:

debug3: subprocess: AuthorizedKeysCommand command "/usr/bin/sss_ssh_authorizedkeys tgroth" running as root
debug1: temporarily_use_uid: 0/0 (e=0/0)
Unsafe AuthorizedKeysCommand "/usr/bin/sss_ssh_authorizedkeys": bad ownership or modes for directory /

Reproduction Steps

  1. Configure sshd to look up authorized keys from sssd
  2. Observe debug information from sshd

Other Information

Doing a simple

chmod 755 / 

fixes sshd. When creating the tmpfs mount I believe you can specify the top level permissions with the mode flag (eg mode=755)

Copy link

@bgilbert bgilbert commented Feb 17, 2017

This should be fixed in the next alpha. Thanks for reporting.

@bgilbert bgilbert closed this Feb 17, 2017
Copy link

@travisgroth travisgroth commented Feb 17, 2017

@bgilbert no problem. Thanks for getting it resolved so quickly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.