1294327 – /root/.ssh has incorrect mode

Bug 1294327 - /root/.ssh has incorrect mode

Summary: /root/.ssh has incorrect mode

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	kexec-tools
Sub Component:
Version:	6.8
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Minfei Huang
QA Contact:	Xiaoli Li
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-12-27 03:13 UTC by Minfei Huang
Modified:	2016-05-10 19:12 UTC (History)
CC List:	4 users (show)
Fixed In Version:	kexec-tools-2.0.0-290.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-05-10 19:12:31 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:0734	0	normal	SHIPPED_LIVE	kexec-tools bug fix and enhancement update	2016-05-10 22:28:16 UTC

Description Minfei Huang 2015-12-27 03:13:09 UTC

Description of problem:
/root/.ssh should create with mode 700. But it has incorrect mode in 2nd kernel.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Minfei Huang 2015-12-29 07:54:38 UTC

(In reply to Minfei Huang from comment #0)
> Description of problem:
> /root/.ssh should create with mode 700. But it has incorrect mode in 2nd
> kernel.

The directory of /root/.ssh which is in initramfs may have different mode with 700. Thus ssh may fail to dump vmcore in 2nd kernel.

> 
> Version-Release number of selected component (if applicable):
> 
> 
> How reproducible:

1. configure the kdump.conf to use ssh to dump vmcore in 2nd kernel
2. extract the /root/.ssh in initramfs to check the mode

Thanks
Minfei

Comment 2 Qiao Zhao 2015-12-29 08:11:31 UTC

(In reply to Minfei Huang from comment #1)
> (In reply to Minfei Huang from comment #0)
> > Description of problem:
> > /root/.ssh should create with mode 700. But it has incorrect mode in 2nd
> > kernel.
> 
> The directory of /root/.ssh which is in initramfs may have different mode
> with 700. Thus ssh may fail to dump vmcore in 2nd kernel.
> 
> > 
> > Version-Release number of selected component (if applicable):
> > 
> > 
> > How reproducible:
> 
> 1. configure the kdump.conf to use ssh to dump vmcore in 2nd kernel
> 2. extract the /root/.ssh in initramfs to check the mode
> 
> Thanks
> Minfei

Hi Minfei,

I config kdump.conf and restart kdump service, and check initramfs,
# lsinitrd /boot/initrd-2.6.32-573.el6.x86_64kdump.img | grep ssh
drwxr-xr-x   2 root     root            0 Dec 29 16:03 etc/ssh
-rw-r--r--   1 root     root         2047 May  4  2015 etc/ssh/ssh_config
drwxr-xr-x   2 root     root            0 Dec 29 16:03 root/.ssh
-rw-------   1 root     root         1675 Dec 29 16:02 root/.ssh/kdump_id_rsa
-rw-r--r--   1 root     root          393 Dec 29 16:02 root/.ssh/known_hosts
-rwxr-xr-x   1 root     root       446728 Dec 29 16:03 usr/bin/ssh

I got the directory root/.ssh mode is "drwxr-xr-x   2 root     root            0 Dec 29 16:03 root/.ssh" (755)

In normal system, /root/.ssh directory mode is "drwx------.  2 root root  4096 Dec 29 16:02 .ssh" (700)

I still didn't get your point.

--
Thanks,
Qiao

Comment 3 Qiao Zhao 2015-12-29 08:13:32 UTC

(In reply to Qiao Zhao from comment #2)
> (In reply to Minfei Huang from comment #1)
> > (In reply to Minfei Huang from comment #0)
> > > Description of problem:
> > > /root/.ssh should create with mode 700. But it has incorrect mode in 2nd
> > > kernel.
> > 
> > The directory of /root/.ssh which is in initramfs may have different mode
> > with 700. Thus ssh may fail to dump vmcore in 2nd kernel.
> > 
> > > 
> > > Version-Release number of selected component (if applicable):
> > > 
> > > 
> > > How reproducible:
> > 
> > 1. configure the kdump.conf to use ssh to dump vmcore in 2nd kernel
> > 2. extract the /root/.ssh in initramfs to check the mode
> > 
> > Thanks
> > Minfei
> 
> Hi Minfei,
> 
> I config kdump.conf and restart kdump service, and check initramfs,
> # lsinitrd /boot/initrd-2.6.32-573.el6.x86_64kdump.img | grep ssh
> drwxr-xr-x   2 root     root            0 Dec 29 16:03 etc/ssh
> -rw-r--r--   1 root     root         2047 May  4  2015 etc/ssh/ssh_config
> drwxr-xr-x   2 root     root            0 Dec 29 16:03 root/.ssh
> -rw-------   1 root     root         1675 Dec 29 16:02 root/.ssh/kdump_id_rsa
> -rw-r--r--   1 root     root          393 Dec 29 16:02 root/.ssh/known_hosts
> -rwxr-xr-x   1 root     root       446728 Dec 29 16:03 usr/bin/ssh
> 
> I got the directory root/.ssh mode is "drwxr-xr-x   2 root     root         
> 0 Dec 29 16:03 root/.ssh" (755)
> 
> In normal system, /root/.ssh directory mode is "drwx------.  2 root root 
> 4096 Dec 29 16:02 .ssh" (700)
> 
> I still didn't get your point.

You means get a different mode in 2nd kernel?  But it don't affect the kdump result.

> 
> --
> Thanks,
> Qiao

Comment 4 Minfei Huang 2015-12-29 08:31:38 UTC

(In reply to Qiao Zhao from comment #2)
> Hi Minfei,
> 
> I config kdump.conf and restart kdump service, and check initramfs,
> # lsinitrd /boot/initrd-2.6.32-573.el6.x86_64kdump.img | grep ssh
> drwxr-xr-x   2 root     root            0 Dec 29 16:03 etc/ssh
> -rw-r--r--   1 root     root         2047 May  4  2015 etc/ssh/ssh_config
> drwxr-xr-x   2 root     root            0 Dec 29 16:03 root/.ssh
> -rw-------   1 root     root         1675 Dec 29 16:02 root/.ssh/kdump_id_rsa
> -rw-r--r--   1 root     root          393 Dec 29 16:02 root/.ssh/known_hosts
> -rwxr-xr-x   1 root     root       446728 Dec 29 16:03 usr/bin/ssh
> 
> I got the directory root/.ssh mode is "drwxr-xr-x   2 root     root         
> 0 Dec 29 16:03 root/.ssh" (755)
> 
> In normal system, /root/.ssh directory mode is "drwx------.  2 root root 
> 4096 Dec 29 16:02 .ssh" (700)

Yes. The ssh directory's mode should be 700, since it is a security directory that it  cannot be accessed by other users.

drwx------.  2 mhuang mhuang   4096 Nov 24 10:21 .ssh

> 
> I still didn't get your point.

We should guarantee the ssh's mode to make it safe.

Thanks
Minfei

Comment 5 Qiao Zhao 2015-12-29 08:40:06 UTC

(In reply to Minfei Huang from comment #4)
> (In reply to Qiao Zhao from comment #2)
> > Hi Minfei,
> > 
> > I config kdump.conf and restart kdump service, and check initramfs,
> > # lsinitrd /boot/initrd-2.6.32-573.el6.x86_64kdump.img | grep ssh
> > drwxr-xr-x   2 root     root            0 Dec 29 16:03 etc/ssh
> > -rw-r--r--   1 root     root         2047 May  4  2015 etc/ssh/ssh_config
> > drwxr-xr-x   2 root     root            0 Dec 29 16:03 root/.ssh
> > -rw-------   1 root     root         1675 Dec 29 16:02 root/.ssh/kdump_id_rsa
> > -rw-r--r--   1 root     root          393 Dec 29 16:02 root/.ssh/known_hosts
> > -rwxr-xr-x   1 root     root       446728 Dec 29 16:03 usr/bin/ssh
> > 
> > I got the directory root/.ssh mode is "drwxr-xr-x   2 root     root         
> > 0 Dec 29 16:03 root/.ssh" (755)
> > 
> > In normal system, /root/.ssh directory mode is "drwx------.  2 root root 
> > 4096 Dec 29 16:02 .ssh" (700)
> 
> Yes. The ssh directory's mode should be 700, since it is a security
> directory that it  cannot be accessed by other users.
> 
> drwx------.  2 mhuang mhuang   4096 Nov 24 10:21 .ssh
> 
> > 
> > I still didn't get your point.
> 
> We should guarantee the ssh's mode to make it safe.

OK, got. Didn't notice this problem, i just think the 2nd kernel end soon.

set qa_ack+

> 
> Thanks
> Minfei

Comment 9 errata-xmlrpc 2016-05-10 19:12:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0734.html

Note You need to log in before you can comment on or make changes to this bug.