Change /boot/ignition/config.ign permissions to 0600 and delete it after provisioning

[xlejo]

In the ignition file sometimes contains secrets and the best option maybe for this is denied access to unauthorized users.
The only way to access has to be through sudo or with the root account.

[bgilbert]

Thanks for reporting this. coreos-installer change in coreos/coreos-installer#571.

[travier]

Given that we only leave the Ignition config in the coreos-installer case, maybe we should add a cleanup stage to Ignition / dracut to remove the config once Ignition has completed?

[jlebon]

Given that we only leave the Ignition config in the coreos-installer case, maybe we should add a cleanup stage to Ignition / dracut to remove the config once Ignition has completed?

Or we do this as part of https://github.com/coreos/ignition/blob/main/systemd/ignition-firstboot-complete.service. That's the source of truth for whether Ignition has completed, and it already has /boot rw. There's a related issue to have it moved to f-c-c: coreos/ignition#1125.

[jlebon]

This was discussed in today's meeting:

13:12:06 < bgilbert> #agreed we will change firstboot-complete to delete /boot/ignition/config.ign.
                     we will also add a systemd service that removes /boot/ignition/config.ign on
                     existing nodes, and ship that service until after the next barrier release.
                     in parallel, we will change coreos-installer to write
                     /boot/ignition/config.ign with mode 0600.

[jlebon]

Also

13:19:59 < bgilbert> #agreed we will post to coreos-status about /etc mode bits and config.ign
                     mode bits, timing to be determined

[bgilbert]

Actions:

• Change coreos-installer to write configs with restrictive permissions
  • install: restrict access permissions on /boot/ignition{,/config.ign} coreos-installer#571
• Move ignition-firstboot-complete.service to fedora-coreos-config and have it delete /boot/ignition after Ignition completes
  • 05core: add coreos-ignition-firstboot-complete.service fedora-coreos-config#1087
  • Remove ignition-firstboot-complete.service ignition#1245
  • Move coreos-ignition-firstboot-complete logic to separate script and make it delete /boot/ignition fedora-coreos-config#1089
• Move ignition-setup-user.service out of Ignition repo
  • 35coreos-ignition: move ignition-setup-user.service here fedora-coreos-config#1095
  • dracut: drop ignition-setup-user.service ignition#1248
  • More info: dracut: clean up /boot/ignition when done ignition#1246 (comment)
• Test that /boot/ignition is removed after Ignition completes
  • testiso: check that /boot/ignition was nuked coreos-assembler#2283
• Add and test temporary unit that removes /boot/ignition on existing nodes
  • overlay: remove /boot/ignition on upgrade if present fedora-coreos-config#1093
• Land updated Ignition package in FCOS
  • https://src.fedoraproject.org/rpms/ignition/pull-request/83
  • overrides: fast-track Ignition 2.11.0-2.fc34 fedora-coreos-config#1096
• Land updated Ignition package in RHCOS
• Land fedora-coreos-config updates in RHCOS
  • Bump fedora-coreos-config openshift/os#576
• Remove the temporary unit after the next barrier release on all streams
  • Drop coreos-cleanup-ignition-config.service after the next barrier release on all streams fedora-coreos-config#1094
• New upstream coreos-installer release; land in FCOS and RHCOS
• Post to coreos-status about recent permissions issues
  • Group writable files in /etc #829
  • Change /boot/ignition/config.ign permissions to 0600 and delete it after provisioning #889

[travier]

coreos-status text for #829: https://hackmd.io/0_DtZQLhSxCjzaszinudqg

[dustymabe]

Maybe include something in the text about the issue being resolved if you are following the latest updates etc.. and maybe mention what version the issue was fixed in.

[travier]

Updated to address comments

[dustymabe]

Updated to address comments

Looks mostly good to me. Maybe only add a little extra here highlighting "no action required":

New installations starting from version 34.20210611.3.0 (stable) and 34.20210611.2.0 (testing) and later are unaffected. If you have automatic updates enabled all existing systems have been automatically fixed on bootup after the update to those versions and no action is required.

Also, should we mention the next version too, since some percentage of people run that stream too.

[travier]

Thanks, updated. I've also merged all find commands into one which should make it easier but this should be double checked.

[travier]

See also coreos/fedora-coreos-config#1134

[bgilbert]

(Belatedly) added a description of this issue to the draft coreos-status post in https://hackmd.io/0_DtZQLhSxCjzaszinudqg.

[dustymabe]

The fix for this went into next stream release 34.20210711.1.1. Please try out the new release and report issues.

[dustymabe]

The fix for this went into testing stream release 34.20210711.2.0. Please try out the new release and report issues.

[dustymabe]

The fix for this went into stable stream release 34.20210711.3.0.

[xlejo]

Seems to work well. Tested with new instances and old instances updated. The /boot/ignition is gone.

For me, this issue is more than solved :)

[bgilbert]

This is now CVE-2021-3917.

[bgilbert]

coreos-status post sent!