Bug 2182948

Summary: Request to backport "Don't change permissions of netrules target (#2076)" on RHEL9
Product: Red Hat Enterprise Linux 9 Reporter: YongkuiGuo <yoguo>
Component: cloud-initAssignee: Emanuele Giuseppe Esposito <eesposit>
Status: CLOSED ERRATA QA Contact: Huijuan Zhao <huzhao>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 9.3CC: andavis, anisinha, bdas, eesposit, eterrell, huzhao, jgreguske, virt-bugs, virt-maint, xiachen, xiliang, yacao
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: cloud-init-23.1.1-3.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2182947 Environment:
Last Closed: 2023-11-07 08:28:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2182947    
Bug Blocks:    

Description YongkuiGuo 2023-03-30 02:22:56 UTC 
+++ This bug was initially created as a clone of Bug #2182947 +++

Description of problem:
When linking the '/etc/udev/rules.d/70-persistent-net.rules' file to /dev/null to disable this udev rule,  cloud-init still tries to write this file and modify the permission, which causes the permission changes of /dev/null from 666 to 644. In this case, the non-root users will have no write permission to /dev/null. 


This issue has been resolved upstream.  The commit summary is as below:
------------------------------
commit 56c88cafd1b3606e814069a79f4ec265fc427c87
Author: James Falcon <james.falcon>
Date:   Thu Mar 23 10:21:56 2023 -0500

    Don't change permissions of netrules target (#2076)
   
    Set permissions if file doesn't exist. Leave them if it does.
 
    LP: #2011783
    Co-authored-by: Chad Smith <chad.smith>
--------------------------------


Version-Release number of selected components (if applicable):
cloud-init-22.1-8.el8.noarch


How reproducible:
100%


Steps to Reproduce:
1. Create an instance with RHEL-8.8 guest image on PSI OpenStack env
2. Create the symbolic link file as follows
# ln -sf /dev/null /etc/udev/rules.d/70-persistent-net.rules
# ll /etc/udev/rules.d/
total 0
lrwxrwxrwx. 1 root root 9 Mar 29 05:32 70-persistent-net.rules -> /dev/null
3. Rerun cloud-init
# cloud-init clean
# reboot
4. Login to the instance and check the mode of /dev/null
# ll /dev/null
crw-r--r--. 1 root root 1, 3 Mar 29 05:33 /dev/null
The mode bits have been changed from 666 to 644. And the non-root users will hit "/dev/null: Permission denied" error.
5. Check the cloud-init log
# cat /var/log/cloud-init.log
...
util.py[DEBUG]: Writing to /etc/udev/rules.d/70-persistent-net.rules - wb: [644] 96 bytes


Actual results:
As above

Expected results:
Backport the upstream patch to fix this issue

Additional info:
This issue also exists in RHEL9.
Comment 6 Huijuan Zhao 2023-05-04 06:07:50 UTC 
Moving to VERIFIED per comment 3
Comment 8 errata-xmlrpc 2023-11-07 08:28:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: cloud-init security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6371