Root directory permissions too permissive on network boot image #1812

Closed
travisgroth opened this Issue Feb 16, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@travisgroth

travisgroth commented Feb 16, 2017

Issue Report

Bug

Container Linux Version

NAME="Container Linux by CoreOS"
ID=coreos
VERSION=1313.0.0
VERSION_ID=1313.0.0
BUILD_ID=2017-02-03-0826
PRETTY_NAME="Container Linux by CoreOS 1313.0.0 (Ladybug)"
ANSI_COLOR="38;5;75"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://github.com/coreos/bugs/issues"

Environment

Any pxe/network boot environment (vmware, metal, etc).

Expected Behavior

Root file system top level directory should be 755.

Actual Behavior

Root filesystems permissions are tmpfs default (open with +t) on the network boot image:

coreos0 pam.d # ls -la /
total 0
drwxrwxrwt.  16 root root  400 Feb 16 05:00 .

This is (a) a potential security issue, even on ephemeral images and (b) causes sshd to abort running /usr/bin/sss_ssh_authorizedkeys due to the permissions:

debug3: subprocess: AuthorizedKeysCommand command "/usr/bin/sss_ssh_authorizedkeys tgroth" running as root
debug1: temporarily_use_uid: 0/0 (e=0/0)
Unsafe AuthorizedKeysCommand "/usr/bin/sss_ssh_authorizedkeys": bad ownership or modes for directory /

Reproduction Steps

  1. Configure sshd to look up authorized keys from sssd
  2. Observe debug information from sshd

Other Information

Doing a simple

chmod 755 / 

fixes sshd. When creating the tmpfs mount I believe you can specify the top level permissions with the mode flag (eg mode=755)

@bgilbert

This comment has been minimized.

Show comment
Hide comment
@bgilbert

bgilbert Feb 17, 2017

Member

This should be fixed in the next alpha. Thanks for reporting.

Member

bgilbert commented Feb 17, 2017

This should be fixed in the next alpha. Thanks for reporting.

@bgilbert bgilbert closed this Feb 17, 2017

@travisgroth

This comment has been minimized.

Show comment
Hide comment
@travisgroth

travisgroth Feb 17, 2017

@bgilbert no problem. Thanks for getting it resolved so quickly.

@bgilbert no problem. Thanks for getting it resolved so quickly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment