From ca353ed406bc46f09b168eb4be25edd2c9594cd7 Mon Sep 17 00:00:00 2001 From: John Van de Meulebrouck Brendgard Date: Fri, 17 Nov 2023 13:50:02 +0100 Subject: [PATCH 1/3] Set same permissions for /root/.ssh/authorized_keys in post-tasks.d/010fix-ssh-perms as is done by Puppet with sunet::ssh_keys. --- global/post-tasks.d/010fix-ssh-perms | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/global/post-tasks.d/010fix-ssh-perms b/global/post-tasks.d/010fix-ssh-perms index 87636d7..f32a6a4 100755 --- a/global/post-tasks.d/010fix-ssh-perms +++ b/global/post-tasks.d/010fix-ssh-perms @@ -17,7 +17,7 @@ if test -f /root/.ssh/authorized_keys; then if test `stat -t /root/.ssh/authorized_keys | cut -d\ -f5` != 0; then chown root.root /root/.ssh/authorized_keys fi - if test `stat --printf=%a /root/.ssh/authorized_keys` != 600; then - chmod 600 /root/.ssh/authorized_keys + if test `stat --printf=%a /root/.ssh/authorized_keys` != 440; then + chmod 440 /root/.ssh/authorized_keys fi fi From 75e566ab61fe9d485a70f3066084705c720315b2 Mon Sep 17 00:00:00 2001 From: John Van de Meulebrouck Brendgard Date: Fri, 17 Nov 2023 14:58:51 +0100 Subject: [PATCH 2/3] Make sure that /root in overlay is owned by root as well as that /root/.ssh and its content is only owned and readable by root. This is redundant if the previous permissions were properly applied and no other changes have been made by the user or something else, but is added for good measure as a layered defense. --- global/pre-tasks.d/015set-overlay-permissions | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/global/pre-tasks.d/015set-overlay-permissions b/global/pre-tasks.d/015set-overlay-permissions index 37f9844..205180b 100755 --- a/global/pre-tasks.d/015set-overlay-permissions +++ b/global/pre-tasks.d/015set-overlay-permissions @@ -14,10 +14,17 @@ if ! test -d "$MODEL_OVERLAY"; then exit 0 fi +args="" +if [ "x$COSMOS_VERBOSE" = "xy" ]; then + args="-v" +fi + if [ -d "$MODEL_OVERLAY/root" ]; then - args="" - if [ "x$COSMOS_VERBOSE" = "xy" ]; then - args="-v" - fi + chown ${args} root:root "$MODEL_OVERLAY"/root chmod ${args} 0700 "$MODEL_OVERLAY"/root fi + +if [ -d "$MODEL_OVERLAY/root/.ssh" ]; then + chown ${args} -R root:root "$MODEL_OVERLAY"/root/.ssh + chmod ${args} 0700 "$MODEL_OVERLAY"/root/.ssh +fi From 8d4ce2d1b7132dbe00486134e60e0e13f715b8d4 Mon Sep 17 00:00:00 2001 From: John Van de Meulebrouck Brendgard Date: Fri, 17 Nov 2023 15:03:47 +0100 Subject: [PATCH 3/3] Make sure that COSMOS_BASE is only readable by root since it's possible that the directory can contain files that after applying the overlay to / only should be read or writable by root. --- global/post-tasks.d/014set-cosmos-permissions | 24 +++++++++++++++++++ global/pre-tasks.d/014set-cosmos-permissions | 24 +++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100755 global/post-tasks.d/014set-cosmos-permissions create mode 100755 global/pre-tasks.d/014set-cosmos-permissions diff --git a/global/post-tasks.d/014set-cosmos-permissions b/global/post-tasks.d/014set-cosmos-permissions new file mode 100755 index 0000000..08992b5 --- /dev/null +++ b/global/post-tasks.d/014set-cosmos-permissions @@ -0,0 +1,24 @@ +#!/bin/sh +# +# Set Cosmos directory permissions so that +# the files cannot be read by anyone but root, +# since it's possible that the directory +# can contain files that after applying the +# overlay to / only should be read or writable +# by root. + +set -e +self=$(basename "$0") + +if ! test -d "$COSMOS_BASE"; then + test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions." + exit 0 +fi + +args="" +if [ "x$COSMOS_VERBOSE" = "xy" ]; then + args="-v" +fi + +chown ${args} root:root "$COSMOS_BASE" +chmod ${args} 750 "$COSMOS_BASE" diff --git a/global/pre-tasks.d/014set-cosmos-permissions b/global/pre-tasks.d/014set-cosmos-permissions new file mode 100755 index 0000000..08992b5 --- /dev/null +++ b/global/pre-tasks.d/014set-cosmos-permissions @@ -0,0 +1,24 @@ +#!/bin/sh +# +# Set Cosmos directory permissions so that +# the files cannot be read by anyone but root, +# since it's possible that the directory +# can contain files that after applying the +# overlay to / only should be read or writable +# by root. + +set -e +self=$(basename "$0") + +if ! test -d "$COSMOS_BASE"; then + test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions." + exit 0 +fi + +args="" +if [ "x$COSMOS_VERBOSE" = "xy" ]; then + args="-v" +fi + +chown ${args} root:root "$COSMOS_BASE" +chmod ${args} 750 "$COSMOS_BASE"