Bug 2104595

Summary: openssh: the "ssh_keys" group should have a static GID
Product: [Fedora] Fedora Reporter: Luca BRUNO <lucab>
Component: opensshAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 36CC: crypto-team, dbelyavs, dwalsh, jjelen, lkundrak, mattias.ellert, tm, travier
Target Milestone: ---Keywords: Triaged
Target Release: ---Flags: fedora-admin-xmlrpc: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-8.8p1-3.fc37 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-08 09:25:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Luca BRUNO 2022-07-06 16:33:12 UTC 
The "openssh" package is currently shipping a binary at "/usr/libexec/openssh/ssh-keysign" which is owned by the "ssh_keys" group:
```
$ stat /usr/libexec/openssh/ssh-keysign
  File: /usr/libexec/openssh/ssh-keysign
  Size: 334248          Blocks: 656        IO Block: 4096   regular file
Access: (2555/-r-xr-sr-x)  Uid: (    0/    root)   Gid: (  999/ssh_keys)
```

However the specfile does create the "ssh_keys" group with a dynamic group ID at install time:
```
%pre
getent group ssh_keys >/dev/null || groupadd -r ssh_keys || :
```

This means that across different installs/composes the numeric GID of the file may vary arbitrarily (in the example above it got "999").

This poses a problem from the point of view of OS content reproducibility.
It also causes issues to systems doing out-of-band composes (e.g. ostree or other image-based technologies).

For these reasons, it would be better to get a static GID allocated for the "ssh_keys" group in Fedora.
Comment 1 Luca BRUNO 2022-07-11 08:34:38 UTC 
As I didn't hear any positive/negative feedback here, I went ahead and formally brought this to the attention of FPC with a static GID request as described in https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_soft_static_allocation.

The static GID request ticket for the "ssh_keys" group is at https://pagure.io/packaging-committee/issue/1188.
Comment 2 Dmitry Belyavskiy 2022-07-14 08:53:55 UTC 
What should be done from my side? I agree it's a good idea.
Comment 3 Luca BRUNO 2022-07-14 12:05:59 UTC 
Nothing for the moment. Once the GID allocation is confirmed and the exact number confirmed, the specfile will need to be updated to start using that in the `groupadd` call.
Comment 4 Fedora Update System 2022-08-08 09:21:34 UTC 
FEDORA-2022-c2a1a8c16b has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-c2a1a8c16b
Comment 5 Fedora Update System 2022-08-08 09:25:16 UTC 
FEDORA-2022-c2a1a8c16b has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.