Bug 1260801 - virt-builder --ssh-inject doesn't set proper permissions on created files
Summary: virt-builder --ssh-inject doesn't set proper permissions on created files
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libguestfs
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Richard W.M. Jones
QA Contact: Virtualization Bugs
Depends On: 1218766 1260778
Blocks: 1288337 1301891
TreeView+ depends on / blocked
Reported: 2015-09-07 21:21 UTC by Richard W.M. Jones
Modified: 2016-11-03 17:54 UTC (History)
8 users (show)

Fixed In Version: libguestfs-1.32.0-2.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1260778
Last Closed: 2016-11-03 17:54:43 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2576 normal SHIPPED_LIVE Moderate: libguestfs and virt-p2v security, bug fix, and enhancement update 2016-11-03 12:06:51 UTC

Description Richard W.M. Jones 2015-09-07 21:21:32 UTC
NOTE: Do NOT affect RHEL 7.2.  Cloning the bug just so we
check that the patch is included in RHEL 7.3 (assuming we
do the rebase).

+++ This bug was initially created as a clone of Bug #1260778 +++

Description of problem:

  When using virt-builder --ssh-inject, the permissions of ~/.ssh and ~/.ssh/authorized_keys are not set appropriately.

Version-Release number of selected component (if applicable):

  Checked in latest available Fedora non-testing version

How reproducible:

  Hmmm. 100% it seems.

Steps to Reproduce:

  1. virt-builder <TEMPLATE> --ssh-inject root
  2. Import image with virt-install or use guestfish/guestmount to pull up rootfs
  3. Execute: ls -la /root/.ssh

Actual results:

  total 4
  drwxr-xr-x. 2 root root  28 Sep  7 13:04 .
  dr-xr-x---. 3 root root  97 Sep  7 13:04 ..
  -rw-r--r--. 1 root root 397 Sep  7 13:04 authorized_keys
Expected results:

  total 4
  drwx------. 2 root root  28 Sep  7 13:04 .
  dr-xr-x---. 3 root root  97 Sep  7 13:04 ..
  -rw-------. 1 root root 397 Sep  7 13:04 authorized_keys

--- Additional comment from Ryan Sawhill on 2015-09-07 14:05:47 EDT ---

When the ssh-copy-id command creates ~/.ssh and ~/.ssh/authorized_keys it sets the perms to 0700 and 0600, respectively.

That said, in my email correspondence, I was wrong to suggest that --ssh-inject was failing for me because of this. Turns out it was a quirk of my current setup with ssh-agent and too many keys.

I still think it would be a good idea to set the same perms that ssh-copy-id does, but not that big of a deal I guess.

--- Additional comment from Richard W.M. Jones on 2015-09-07 16:43:13 EDT ---

I looked at ssh-copy-id and ssh and both are creating ~/.ssh with
mode 0700, so that looks like the right thing to do.

--- Additional comment from Richard W.M. Jones on 2015-09-07 17:17:21 EDT ---

Patch posted:

Comment 1 Pino Toscano 2015-10-16 08:58:57 UTC
This has been fixed with
which is in libguestfs >= 1.31.5.

The rebase (bug #1218766) will pick this bug fix (and the feature too, actually :) ) as well.

Comment 3 Xianghua Chen 2016-06-28 02:49:14 UTC
Verified with the packages:

Verify steps:
1. Build a Fedora guest image and inject your public key and a string to the guest:
# virt-builder fedora-23 --arch i686 -o fedora-23.img --ssh-inject root:file:/root/.ssh/id_rsa.pub --ssh-inject  root:string:"ssh-rsa AAtesttesttest"

Command finished successfully and there should be a image: fedora-23.img2. 

2. Check the permission:
# guestfish -a tmp.qcow2 -i ll /root/.ssh/  
drwx------  2 root root   28 Jun 21 09:14 .  
dr-xr-x---. 5 root root 4096 Jun 21 09:14 ..  
-rw-------  1 root root  402 Jun 21 09:14 authorized_keys

The permission of .ssh is 0700 and authorized_keys is 0600.

So verified.

Comment 5 errata-xmlrpc 2016-11-03 17:54:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.