Ensure /etc isn't writable by group #168

sjpb · 2024-06-05T15:11:45Z

munged checks on startup that the path to its key is secure.

Because Rocky-9-GenericCloud-Base-9.4-20240523.0.x86_64.qcow2 changed the permissions on /etc this image fails with:

munged: Error: Keyfile is insecure: group-writable permissions without sticky bit set on "/etc"

Permissions comparison:

# Rocky-9-GenericCloud-Base-9.3-20231113.0.x86_64.qcow2
[rocky@sb-rl9-3 ~]$ ls -ld /etc/
drwxr-xr-x. 93 root root 8192 Jun  5 14:54 /etc/

# Rocky-9-GenericCloud-Base-9.4-20240523.0.x86_64.qcow2
[rocky@sb-rl9-4 ~]$ ls -ld /etc/
drwxrwxr-x. 88 root root 8192 Jun  5 14:54 /etc/

m-bull

Seems fine, but it would be good to know why this changed in the image, just in case of unintended consequences later...

sjpb · 2024-06-05T15:43:00Z

@m-bull I've asked: https://forums.rockylinux.org/t/changed-permissions-on-etc-in-rl9-4-genericcloud-image/14449

ensure /etc isn't writable by group

85a045c

sjpb requested a review from a team as a code owner June 5, 2024 15:11

sjpb requested a review from m-bull June 5, 2024 15:37

m-bull approved these changes Jun 5, 2024

View reviewed changes

sjpb merged commit a599130 into master Jun 5, 2024

sjpb deleted the fix/RL9.4-etc-munge branch June 5, 2024 15:44

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Ensure /etc isn't writable by group #168

Ensure /etc isn't writable by group #168

Uh oh!

sjpb commented Jun 5, 2024

Uh oh!

m-bull left a comment

Uh oh!

sjpb commented Jun 5, 2024

Uh oh!

Uh oh!

Ensure /etc isn't writable by group #168

Ensure /etc isn't writable by group #168

Uh oh!

Conversation

sjpb commented Jun 5, 2024

Uh oh!

m-bull left a comment

Choose a reason for hiding this comment

Uh oh!

sjpb commented Jun 5, 2024

Uh oh!

Uh oh!