Bug 1956739

Summary: Permission for authorized_keys for core user changes from core user to root when changed the pull secret
Product: OpenShift Container Platform Reporter: Praveen Kumar <prkumar>
Component: Machine Config OperatorAssignee: mkenigsb
Machine Config Operator sub component: Machine Config Operator QA Contact: Sergio <sregidor>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: aos-bugs, cfergeau, mkenigsb, mkrejci, rioliu, skumari
Version: 4.8   
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
* Before this update, when you used the Machine Config Operator (MCO) to create or update an SSH key, it set the owner and group of the `authorized_keys` file to `root`. This update resolves the issue. When the MCO creates or updates the `authorized_keys` file, it correctly sets or preserves `core` as the owner and group of the file. (link:https://bugzilla.redhat.com/show_bug.cgi?id=1956739[BZ#1956739])
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 16:03:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Praveen Kumar 2021-05-04 10:33:52 UTC 
Description of problem:
I am testing the single node cluster on aws and as soon as I am making changes in the pull secret for openshiftt-config namespace, looks like the permission for authorized_keys for core user changes from core user to root 

Version-Release number of selected component (if applicable):
4.8.0-0.nightly-2021-04-30-201824


How reproducible:
```
$ oc get nodes
NAME                           STATUS   ROLES           AGE    VERSION
ip-10-0-161-106.ec2.internal   Ready    master,worker   154m   v1.21.0-rc.0+aa1dc1f
$ oc debug node/ip-10-0-161-106.ec2.internal
sh-4.4# ls -l /home/core/.ssh/
total 4
-rw-------. 1 core core 725 May  4 05:43 authorized_keys
$ cat p.yaml 
apiVersion: v1
data:
  .dockerconfigjson: e30K
kind: Secret
metadata:
  name: pull-secret
  namespace: openshift-config
type: kubernetes.io/dockerconfigjson

$ oc replace -f p.yaml

$ oc get mc
NAME                                               GENERATEDBYCONTROLLER                      IGNITIONVERSION   AGE
00-master                                          8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             3h18m
00-worker                                          8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             3h18m
01-master-container-runtime                        8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             3h18m
01-master-kubelet                                  8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             3h18m
01-worker-container-runtime                        8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             3h18m
01-worker-kubelet                                  8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             3h18m
99-master-generated-registries                     8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             3h18m
99-master-ssh                                                                                 3.2.0             3h27m
99-worker-generated-registries                     8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             3h18m
99-worker-ssh                                                                                 3.2.0             3h27m
rendered-master-5914224a56f3aa38bfbe78784bdb13cc   8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             3h18m
rendered-master-fa59496966475b73bfc3b3e23f72b6ea   8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             18s
rendered-worker-5a4c0b565e51045a8d8c8269d0fd8189   8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             18s
rendered-worker-fc49c662c5086568ed7c5e5743484ee1   8bd0dd547059e9a5cbb43d2f58b40e6bece6c72f   3.2.0             3h18m
$ oc debug node/ip-10-0-161-106.ec2.internal
sh-4.4# ls -l /home/core/.ssh/
total 4
-rw-r--r--. 1 root root 726 May  4 09:09 authorized_keys
```

Actual results:
Permission for `authorized_keys` changed to `root` from `core` user.


Expected results:
Permission should be same as before (for core user)
Comment 1 Sinny Kumari 2021-05-04 13:33:47 UTC 
This problem is reproducible with any type of MachineConifg you apply. Need to look further whether this is some recent regression or has been there for a while.
Comment 2 Sinny Kumari 2021-05-04 14:48:34 UTC 
Checked with 4.7.0-0.nightly-2021-05-01-081439 nightly and seeing same behavior.
Comment 3 Sinny Kumari 2021-05-04 15:11:44 UTC 
After looking at code https://github.com/openshift/machine-config-operator/blob/master/pkg/daemon/update.go#L1696 , it seems MCO is writing authorize_key file with defaults value. As a result, original file permission is getting updated.

Instead of setting default file permission and ownership, it should first fetch authorized_keys(if exists) and then write the file.

This is good to fix asap but shouldn't be a release blocker.
Comment 4 Christophe Fergeau 2021-06-21 09:06:25 UTC 
Fwiw, using `root.root` as the default permissions for /home/core/.ssh/authorized_keys seems unexpected? I'd expect files in /home/core to be owned by `core.core` by default. Or is this some kind of protection to try to prevent users from modifying this file directly?
Comment 8 Sergio 2021-11-03 11:34:32 UTC 
Verified using image registry.ci.openshift.org/ocp/release:4.10.0-0.nightly-2021-10-30-025206

Before updating the pull-secret

sh-4.4# ls -alrth /home/core/.ssh/authorized_keys 
-rw-------. 1 core core 405 Nov  3 10:13 /home/core/.ssh/authorized_keys

After updating the pull-secret

sh-4.4# ls -larth /home/core/.ssh/authorized_keys 
-rw-------. 1 core core 405 Nov  3 11:31 /home/core/.ssh/authorized_keys


The authorized keys had the right user and permissions.

Moved to VERIFIED status.
Comment 13 errata-xmlrpc 2022-03-10 16:03:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056