Bug 1956739
Summary: | Permission for authorized_keys for core user changes from core user to root when changed the pull secret | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Praveen Kumar <prkumar> |
Component: | Machine Config Operator | Assignee: | mkenigsb |
Machine Config Operator sub component: | Machine Config Operator | QA Contact: | Sergio <sregidor> |
Status: | CLOSED ERRATA | Docs Contact: | |
Severity: | high | ||
Priority: | unspecified | CC: | aos-bugs, cfergeau, mkenigsb, mkrejci, rioliu, skumari |
Version: | 4.8 | ||
Target Milestone: | --- | ||
Target Release: | 4.10.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
* Before this update, when you used the Machine Config Operator (MCO) to create or update an SSH key, it set the owner and group of the `authorized_keys` file to `root`. This update resolves the issue. When the MCO creates or updates the `authorized_keys` file, it correctly sets or preserves `core` as the owner and group of the file. (link:https://bugzilla.redhat.com/show_bug.cgi?id=1956739[BZ#1956739])
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-03-10 16:03:38 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Praveen Kumar
2021-05-04 10:33:52 UTC
This problem is reproducible with any type of MachineConifg you apply. Need to look further whether this is some recent regression or has been there for a while. Checked with 4.7.0-0.nightly-2021-05-01-081439 nightly and seeing same behavior. After looking at code https://github.com/openshift/machine-config-operator/blob/master/pkg/daemon/update.go#L1696 , it seems MCO is writing authorize_key file with defaults value. As a result, original file permission is getting updated. Instead of setting default file permission and ownership, it should first fetch authorized_keys(if exists) and then write the file. This is good to fix asap but shouldn't be a release blocker. Fwiw, using `root.root` as the default permissions for /home/core/.ssh/authorized_keys seems unexpected? I'd expect files in /home/core to be owned by `core.core` by default. Or is this some kind of protection to try to prevent users from modifying this file directly? Verified using image registry.ci.openshift.org/ocp/release:4.10.0-0.nightly-2021-10-30-025206 Before updating the pull-secret sh-4.4# ls -alrth /home/core/.ssh/authorized_keys -rw-------. 1 core core 405 Nov 3 10:13 /home/core/.ssh/authorized_keys After updating the pull-secret sh-4.4# ls -larth /home/core/.ssh/authorized_keys -rw-------. 1 core core 405 Nov 3 11:31 /home/core/.ssh/authorized_keys The authorized keys had the right user and permissions. Moved to VERIFIED status. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056 |