[Bug 2052524] Re: INSECURE permissions for Ubuntu Netplan YAML on installer execution, cloud images

[Dan Bungert]

For the Subiquity case, note that the existing behavior was to keep wifi
data in a separate file that was consistent with the root-visible-only
permissions that Netplan was asking for, so the case discussed here
would apply to non-wifi secrets only and is otherwise just a warning.
Was still worth fixing though, thank you for the report.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2052524

Title:
  INSECURE permissions for Ubuntu Netplan YAML on installer execution,
  cloud images

Status in cloud-images:
  New
Status in subiquity:
  Fix Committed

Bug description:
  Currently, the Subiquity installer for 22.04 and Server images creates
  00-installer-config.yaml in /etc/netplan/ with the permissions 644 and
  ownership by root:root.

  However, Ubuntu 22.04 now has version 0.106.1 backported via -updates
  pocket.  In netplan version 0.106.1, there is a requirement in the
  system that the permissions for netplan YAMLs need to be more secure,
  and that the files should not be readable by anyone.  To that effect,
  the only functionally acceptable permissions that DO NOT throw
  warnings are 600 on the netplan YAML files.

  This is a bug in the Subiquity installer used for Server 22.04 and
  others.  This should likely be patched in Subiquity so that during the
  process of installation, Netplan required permissions are respected
  **on install** rather than allowing warnings to trigger after the fact
  and create extra noise.

  ---

  This is flagged as a Security issue because it is in effect CWE-266
  (CWE-266: Incorrect Privilege Assignment) and should be considered a
  security flaw, even if it's low-grade.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-images/+bug/2052524/+subscriptions