Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 621902 - Permissions not set correctly on key pair file
Permissions not set correctly on key pair file
Status: CLOSED ERRATA
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: condor (Show other bugs)
1.2
All Linux
medium Severity medium
: 1.3
: ---
Assigned To: Matthew Farrellee
Luigi Toscano
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-06 09:04 EDT by Steve Reichard
Modified: 2010-10-14 12:14 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Using the MRG Grid to spawn Amazon EC2 instances, when attempting to use the generated key pair which is pointed to by the 'AMAZON_KEYPAIR_FILE' variable, a 'bad permissions' error was returned. The ssh private key file that allowed logging into the EC2 instance was being written with global 'read' permissions. With this update, only the owner has 'read' permission.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-10-14 12:14:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0773 normal SHIPPED_LIVE Moderate: Red Hat Enterprise MRG Messaging and Grid Version 1.3 2010-10-14 11:56:44 EDT

  None (edit)
Description Steve Reichard 2010-08-06 09:04:15 EDT 
Description of problem:

Using MRG Grid to spawn Amazon EC2 instances, when I attempt to use the generated key pair which is pointed to by the AMAZON_KEYPAIR_FILE variable I get the following error:

 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 Permissions 0644 for '/home/admin/tunnelkeypair' are too open.
 It is recommended that your private key files are NOT accessible by others.
 This private key will be ignored.
 bad permissions: ignore key: /home/admin/tunnelkeypair

This is easily worked around by the following command, and so far not adverse effects have been noted.

  chmod 400 tunnelkeypair

Version-Release number of selected component (if applicable):

MRG 1.2

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Matthew Farrellee 2010-08-07 13:01:22 EDT 
commit e7f1cfa5da9e379538efbea33a69372b0e88d033
Author: Jaime Frey <jfrey@>
Date:   Fri Jul 16 12:32:32 2010 -0500

    Fix permissions on ssh private key file for amazon ec2 jobs. #1508
    
    The ssh private key file that allows logging into the ec2 instance
    was being written with global read permissions. Now, only the owner
    has read permission.

...

--- a/src/condor_amazon/gsoap_commands.cpp
+++ b/src/condor_amazon/gsoap_commands.cpp
@@ -319,7 +319,7 @@ AmazonVMCreateKeypair::gsoapRequest(void)
 
        // check if output file could be created
        if( has_outputfile ) { 
-               if( check_create_file(outputfile.Value()) == false ) {
+               if( check_create_file(outputfile.Value(), 0600) == false ) {
                        m_error_msg = "No_permission_for_keypair_outputfile";
                        dprintf(D_ALWAYS, "AmazonVMCreateKeypair Error: %s\n", m_error_msg.Value())
                        return false;
@@ -343,7 +343,7 @@ AmazonVMCreateKeypair::gsoapRequest(void)
                if( has_outputfile ) {
 
                        FILE *fp = NULL;
-                       fp = safe_fopen_wrapper(outputfile.Value(), "w");
+                       fp = safe_fopen_wrapper(outputfile.Value(), "w", 600);
                        if( !fp ) {
                                m_error_msg.sprintf("failed to safe_fopen_wrapper %s in write mode:
                                                "safe_fopen_wrapper returns %s",
Comment 2 Matthew Farrellee 2010-08-07 13:02:00 EDT 
Fix built in condor 7.4.4-0.5
Comment 3 Luigi Toscano 2010-09-08 13:50:38 EDT 
The permissions of the generated keyfile are now (at least) 600.

Verified on RHEL5.5, i386/x86_64.
condor-7.4.4-0.9
Comment 10 Martin Prpič 2010-10-07 12:22:41 EDT 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Using the MRG Grid to spawn Amazon EC2 instances, when attempting to use the generated key pair which is pointed to by the 'AMAZON_KEYPAIR_FILE' variable, a 'bad permissions' error was returned. The ssh private key file that allowed logging into the EC2 instance was being written with global 'read' permissions. With this update, only the owner has 'read' permission.
Comment 16 errata-xmlrpc 2010-10-14 12:14:04 EDT 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2010-0773.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.