Red Hat Bugzilla – Bug 1260801
virt-builder --ssh-inject doesn't set proper permissions on created files
Last modified: 2016-11-03 13:54:43 EDT
NOTE: Do NOT affect RHEL 7.2. Cloning the bug just so we check that the patch is included in RHEL 7.3 (assuming we do the rebase). +++ This bug was initially created as a clone of Bug #1260778 +++ Description of problem: When using virt-builder --ssh-inject, the permissions of ~/.ssh and ~/.ssh/authorized_keys are not set appropriately. Version-Release number of selected component (if applicable): Checked in latest available Fedora non-testing version (libguestfs-tools-c-1.30.0-1.fc22.x86_64) How reproducible: Hmmm. 100% it seems. Steps to Reproduce: 1. virt-builder <TEMPLATE> --ssh-inject root 2. Import image with virt-install or use guestfish/guestmount to pull up rootfs 3. Execute: ls -la /root/.ssh Actual results: total 4 drwxr-xr-x. 2 root root 28 Sep 7 13:04 . dr-xr-x---. 3 root root 97 Sep 7 13:04 .. -rw-r--r--. 1 root root 397 Sep 7 13:04 authorized_keys Expected results: total 4 drwx------. 2 root root 28 Sep 7 13:04 . dr-xr-x---. 3 root root 97 Sep 7 13:04 .. -rw-------. 1 root root 397 Sep 7 13:04 authorized_keys --- Additional comment from Ryan Sawhill on 2015-09-07 14:05:47 EDT --- When the ssh-copy-id command creates ~/.ssh and ~/.ssh/authorized_keys it sets the perms to 0700 and 0600, respectively. That said, in my email correspondence, I was wrong to suggest that --ssh-inject was failing for me because of this. Turns out it was a quirk of my current setup with ssh-agent and too many keys. I still think it would be a good idea to set the same perms that ssh-copy-id does, but not that big of a deal I guess. --- Additional comment from Richard W.M. Jones on 2015-09-07 16:43:13 EDT --- I looked at ssh-copy-id and ssh and both are creating ~/.ssh with mode 0700, so that looks like the right thing to do. --- Additional comment from Richard W.M. Jones on 2015-09-07 17:17:21 EDT --- Patch posted: https://www.redhat.com/archives/libguestfs/2015-September/msg00021.html
This has been fixed with https://github.com/libguestfs/libguestfs/commit/5ed4388ecd5fdb7639622ee4fba317c276547257 which is in libguestfs >= 1.31.5. The rebase (bug #1218766) will pick this bug fix (and the feature too, actually :) ) as well.
Verified with the packages: libguestfs-1.32.5-6.el7.x86_64 Verify steps: 1. Build a Fedora guest image and inject your public key and a string to the guest: # virt-builder fedora-23 --arch i686 -o fedora-23.img --ssh-inject root:file:/root/.ssh/id_rsa.pub --ssh-inject root:string:"ssh-rsa AAtesttesttest" Command finished successfully and there should be a image: fedora-23.img2. 2. Check the permission: # guestfish -a tmp.qcow2 -i ll /root/.ssh/ drwx------ 2 root root 28 Jun 21 09:14 . dr-xr-x---. 5 root root 4096 Jun 21 09:14 .. -rw------- 1 root root 402 Jun 21 09:14 authorized_keys The permission of .ssh is 0700 and authorized_keys is 0600. So verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2576.html