Bug 1294327

Summary: /root/.ssh has incorrect mode
Product: Red Hat Enterprise Linux 6 Reporter: Minfei Huang <mhuang>
Component: kexec-toolsAssignee: Minfei Huang <mhuang>
Status: CLOSED ERRATA QA Contact: Xiaoli Li <xiaolli>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.8CC: bhe, mhuang, qzhao, ruyang
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: kexec-tools-2.0.0-290.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-10 19:12:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Minfei Huang 2015-12-27 03:13:09 UTC 
Description of problem:
/root/.ssh should create with mode 700. But it has incorrect mode in 2nd kernel.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Minfei Huang 2015-12-29 07:54:38 UTC 
(In reply to Minfei Huang from comment #0)
> Description of problem:
> /root/.ssh should create with mode 700. But it has incorrect mode in 2nd
> kernel.

The directory of /root/.ssh which is in initramfs may have different mode with 700. Thus ssh may fail to dump vmcore in 2nd kernel.

> 
> Version-Release number of selected component (if applicable):
> 
> 
> How reproducible:

1. configure the kdump.conf to use ssh to dump vmcore in 2nd kernel
2. extract the /root/.ssh in initramfs to check the mode

Thanks
Minfei
Comment 2 Qiao Zhao 2015-12-29 08:11:31 UTC 
(In reply to Minfei Huang from comment #1)
> (In reply to Minfei Huang from comment #0)
> > Description of problem:
> > /root/.ssh should create with mode 700. But it has incorrect mode in 2nd
> > kernel.
> 
> The directory of /root/.ssh which is in initramfs may have different mode
> with 700. Thus ssh may fail to dump vmcore in 2nd kernel.
> 
> > 
> > Version-Release number of selected component (if applicable):
> > 
> > 
> > How reproducible:
> 
> 1. configure the kdump.conf to use ssh to dump vmcore in 2nd kernel
> 2. extract the /root/.ssh in initramfs to check the mode
> 
> Thanks
> Minfei

Hi Minfei,

I config kdump.conf and restart kdump service, and check initramfs,
# lsinitrd /boot/initrd-2.6.32-573.el6.x86_64kdump.img | grep ssh
drwxr-xr-x   2 root     root            0 Dec 29 16:03 etc/ssh
-rw-r--r--   1 root     root         2047 May  4  2015 etc/ssh/ssh_config
drwxr-xr-x   2 root     root            0 Dec 29 16:03 root/.ssh
-rw-------   1 root     root         1675 Dec 29 16:02 root/.ssh/kdump_id_rsa
-rw-r--r--   1 root     root          393 Dec 29 16:02 root/.ssh/known_hosts
-rwxr-xr-x   1 root     root       446728 Dec 29 16:03 usr/bin/ssh

I got the directory root/.ssh mode is "drwxr-xr-x   2 root     root            0 Dec 29 16:03 root/.ssh" (755)

In normal system, /root/.ssh directory mode is "drwx------.  2 root root  4096 Dec 29 16:02 .ssh" (700)

I still didn't get your point.

--
Thanks,
Qiao
Comment 3 Qiao Zhao 2015-12-29 08:13:32 UTC 
(In reply to Qiao Zhao from comment #2)
> (In reply to Minfei Huang from comment #1)
> > (In reply to Minfei Huang from comment #0)
> > > Description of problem:
> > > /root/.ssh should create with mode 700. But it has incorrect mode in 2nd
> > > kernel.
> > 
> > The directory of /root/.ssh which is in initramfs may have different mode
> > with 700. Thus ssh may fail to dump vmcore in 2nd kernel.
> > 
> > > 
> > > Version-Release number of selected component (if applicable):
> > > 
> > > 
> > > How reproducible:
> > 
> > 1. configure the kdump.conf to use ssh to dump vmcore in 2nd kernel
> > 2. extract the /root/.ssh in initramfs to check the mode
> > 
> > Thanks
> > Minfei
> 
> Hi Minfei,
> 
> I config kdump.conf and restart kdump service, and check initramfs,
> # lsinitrd /boot/initrd-2.6.32-573.el6.x86_64kdump.img | grep ssh
> drwxr-xr-x   2 root     root            0 Dec 29 16:03 etc/ssh
> -rw-r--r--   1 root     root         2047 May  4  2015 etc/ssh/ssh_config
> drwxr-xr-x   2 root     root            0 Dec 29 16:03 root/.ssh
> -rw-------   1 root     root         1675 Dec 29 16:02 root/.ssh/kdump_id_rsa
> -rw-r--r--   1 root     root          393 Dec 29 16:02 root/.ssh/known_hosts
> -rwxr-xr-x   1 root     root       446728 Dec 29 16:03 usr/bin/ssh
> 
> I got the directory root/.ssh mode is "drwxr-xr-x   2 root     root         
> 0 Dec 29 16:03 root/.ssh" (755)
> 
> In normal system, /root/.ssh directory mode is "drwx------.  2 root root 
> 4096 Dec 29 16:02 .ssh" (700)
> 
> I still didn't get your point.

You means get a different mode in 2nd kernel?  But it don't affect the kdump result.

> 
> --
> Thanks,
> Qiao
Comment 4 Minfei Huang 2015-12-29 08:31:38 UTC 
(In reply to Qiao Zhao from comment #2)
> Hi Minfei,
> 
> I config kdump.conf and restart kdump service, and check initramfs,
> # lsinitrd /boot/initrd-2.6.32-573.el6.x86_64kdump.img | grep ssh
> drwxr-xr-x   2 root     root            0 Dec 29 16:03 etc/ssh
> -rw-r--r--   1 root     root         2047 May  4  2015 etc/ssh/ssh_config
> drwxr-xr-x   2 root     root            0 Dec 29 16:03 root/.ssh
> -rw-------   1 root     root         1675 Dec 29 16:02 root/.ssh/kdump_id_rsa
> -rw-r--r--   1 root     root          393 Dec 29 16:02 root/.ssh/known_hosts
> -rwxr-xr-x   1 root     root       446728 Dec 29 16:03 usr/bin/ssh
> 
> I got the directory root/.ssh mode is "drwxr-xr-x   2 root     root         
> 0 Dec 29 16:03 root/.ssh" (755)
> 
> In normal system, /root/.ssh directory mode is "drwx------.  2 root root 
> 4096 Dec 29 16:02 .ssh" (700)

Yes. The ssh directory's mode should be 700, since it is a security directory that it  cannot be accessed by other users.

drwx------.  2 mhuang mhuang   4096 Nov 24 10:21 .ssh

> 
> I still didn't get your point.

We should guarantee the ssh's mode to make it safe.

Thanks
Minfei
Comment 5 Qiao Zhao 2015-12-29 08:40:06 UTC 
(In reply to Minfei Huang from comment #4)
> (In reply to Qiao Zhao from comment #2)
> > Hi Minfei,
> > 
> > I config kdump.conf and restart kdump service, and check initramfs,
> > # lsinitrd /boot/initrd-2.6.32-573.el6.x86_64kdump.img | grep ssh
> > drwxr-xr-x   2 root     root            0 Dec 29 16:03 etc/ssh
> > -rw-r--r--   1 root     root         2047 May  4  2015 etc/ssh/ssh_config
> > drwxr-xr-x   2 root     root            0 Dec 29 16:03 root/.ssh
> > -rw-------   1 root     root         1675 Dec 29 16:02 root/.ssh/kdump_id_rsa
> > -rw-r--r--   1 root     root          393 Dec 29 16:02 root/.ssh/known_hosts
> > -rwxr-xr-x   1 root     root       446728 Dec 29 16:03 usr/bin/ssh
> > 
> > I got the directory root/.ssh mode is "drwxr-xr-x   2 root     root         
> > 0 Dec 29 16:03 root/.ssh" (755)
> > 
> > In normal system, /root/.ssh directory mode is "drwx------.  2 root root 
> > 4096 Dec 29 16:02 .ssh" (700)
> 
> Yes. The ssh directory's mode should be 700, since it is a security
> directory that it  cannot be accessed by other users.
> 
> drwx------.  2 mhuang mhuang   4096 Nov 24 10:21 .ssh
> 
> > 
> > I still didn't get your point.
> 
> We should guarantee the ssh's mode to make it safe.

OK, got. Didn't notice this problem, i just think the 2nd kernel end soon.

set qa_ack+

> 
> Thanks
> Minfei
Comment 9 errata-xmlrpc 2016-05-10 19:12:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0734.html