[Bug 1382632] Re: Insecure key file permissions

Scott Moser smoser at ubuntu.com
Mon Oct 27 17:55:06 UTC 2014 

** Description changed:

+ === SRU Information ===
+ [Impact]
+ Systems installed using curtin inadvertantly have a default set of acl applied
+ to the root directory.  Those default acl can wreak havoc with seemingly
+ sane expectations of users or packages or administrators.
+ 
+ For example, the problem that was noticed essentially boiled down to a
+ program doing:
+   ( umask 0066 ; rm -f secret-file; echo "passw0rd" > secret-file )
+ and then later that program checked permissions of the file
+ and found:
+   $ ls -l secret-file
+   -rw-r--r-- 1 smoser smoser 0 Oct 27 12:00 secret-file
+ instead of
+   -rw------- 1 smoser smoser 0 Oct 27 12:00 secret-file
+ And raised exception.
+ 
+ This is not at all an unreasonable expectation.
+ Essentially, this boils down to all packages not being ready to handle
+ having filesystem ACL in place.  Additionally curtin did not intend on
+ installing the target with default ACLs that was a unexpected behavior of
+ tar (raised in bug 1386237)
+ 
+ [Test Case]
+  * Install system with MAAS and fast path installer (curtin).
+  * mkdir /tmp/mydir
+  * cd /tmp/mydir
+  * ( umask 0066 ; rm -f secret-file; echo "passw0rd" > secret-file )
+  * ls -l secret-file
+ 
+ Expected output is that file has 600 permissions. Failure case, is 644.
+ 
+ [Regression Potential]
+ Fairly small chance for regression as the tar files created for consumption
+ are not created with acl information inside.  Generally ubuntu installations
+ do not have default ACL in place on /, and thus the change creates less
+ chance for unexpected behavior than is currently present.
+ 
+ [Other Info]
+ This bug is not actually present in the version of curtin in trusty.
+ However, the fix for this issue is in the code added to fix bug 1313550.
+ The bug is present in utopic's version of curtin.
+ 
+ === End SRU Information ===
+ 
  openstack-dashboard 1:2014.2-0ubuntu1~cloud0 from
  http://ppa.launchpad.net/ubuntu-cloud-archive/juno-staging/ubuntu/
  
  Got this during installation with the charm:
  (...)
  2014-10-17 17:17:07 INFO install Setting up openstack-dashboard (1:2014.2-0ubuntu1~cloud0) ...
  2014-10-17 17:17:07 INFO install Collecting and compressing static assets...
  2014-10-17 17:17:07 INFO install Traceback (most recent call last):
  2014-10-17 17:17:07 INFO install   File "manage.py", line 25, in <module>
  2014-10-17 17:17:07 INFO install     execute_from_command_line(sys.argv)
  2014-10-17 17:17:07 INFO install   File "/usr/lib/python2.7/dist-packages/django/core/management/__init__.py", line 399, in execute_from_command_line
  2014-10-17 17:17:07 INFO install     utility.execute()
  2014-10-17 17:17:07 INFO install   File "/usr/lib/python2.7/dist-packages/django/core/management/__init__.py", line 392, in execute
  2014-10-17 17:17:07 INFO install     self.fetch_command(subcommand).run_from_argv(self.argv)
  2014-10-17 17:17:07 INFO install   File "/usr/lib/python2.7/dist-packages/django/core/management/__init__.py", line 261, in fetch_command
  2014-10-17 17:17:07 INFO install     commands = get_commands()
  2014-10-17 17:17:07 INFO install   File "/usr/lib/python2.7/dist-packages/django/core/management/__init__.py", line 107, in get_commands
  2014-10-17 17:17:07 INFO install     apps = settings.INSTALLED_APPS
  2014-10-17 17:17:07 INFO install   File "/usr/lib/python2.7/dist-packages/django/conf/__init__.py", line 54, in __getattr__
  2014-10-17 17:17:07 INFO install     self._setup(name)
  2014-10-17 17:17:07 INFO install   File "/usr/lib/python2.7/dist-packages/django/conf/__init__.py", line 49, in _setup
  2014-10-17 17:17:07 INFO install     self._wrapped = Settings(settings_module)
  2014-10-17 17:17:07 INFO install   File "/usr/lib/python2.7/dist-packages/django/conf/__init__.py", line 128, in __init__
  2014-10-17 17:17:07 INFO install     mod = importlib.import_module(self.SETTINGS_MODULE)
  2014-10-17 17:17:07 INFO install   File "/usr/lib/python2.7/dist-packages/django/utils/importlib.py", line 40, in import_module
  2014-10-17 17:17:07 INFO install     __import__(name)
  2014-10-17 17:17:07 INFO install   File "/usr/share/openstack-dashboard/openstack_dashboard/settings.py", line 316, in <module>
  2014-10-17 17:17:07 INFO install     from local.local_settings import *  # noqa
  2014-10-17 17:17:07 INFO install   File "/usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.py", line 98, in <module>
  2014-10-17 17:17:07 INFO install     SECRET_KEY = secret_key.generate_or_read_from_file('/var/lib/openstack-dashboard/secret_key')
  2014-10-17 17:17:07 INFO install   File "/usr/lib/python2.7/dist-packages/horizon/utils/secret_key.py", line 61, in generate_or_read_from_file
  2014-10-17 17:17:07 INFO install     raise FilePermissionError("Insecure key file permissions!")
  2014-10-17 17:17:07 INFO install horizon.utils.secret_key.FilePermissionError: Insecure key file permissions!
  2014-10-17 17:17:07 INFO install dpkg: error processing package openstack-dashboard (--configure):
  2014-10-17 17:17:07 INFO install  subprocess installed post-installation script returned error exit status 1
  2014-10-17 17:17:07 INFO install dpkg: dependency problems prevent configuration of openstack-dashboard-ubuntu-theme:
  2014-10-17 17:17:07 INFO install  openstack-dashboard-ubuntu-theme depends on openstack-dashboard (= 1:2014.2-0ubuntu1~cloud0); however:
  2014-10-17 17:17:07 INFO install   Package openstack-dashboard is not configured yet.
  2014-10-17 17:17:07 INFO install
  2014-10-17 17:17:07 INFO install dpkg: error processing package openstack-dashboard-ubuntu-theme (--configure):
  2014-10-17 17:17:07 INFO install  dependency problems - leaving unconfigured
  2014-10-17 17:17:07 INFO install No apport report written because the error message indicates its a followup error from a previous failure.
  2014-10-17 17:17:07 INFO install Errors were encountered while processing:
  2014-10-17 17:17:07 INFO install  openstack-dashboard
  2014-10-17 17:17:07 INFO install  openstack-dashboard-ubuntu-theme
  2014-10-17 17:17:08 INFO install E: Sub-process /usr/bin/dpkg returned an error code (1)
  
  Full logs attached.
- 
- Related Bugs:
-  * bug 1382632: horizon insecure key file permissions
-  * bug 1386237: tar strange behavior with --acl
-  * bug 1313550: ping broken (xattrs lost in tar extraction)

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/1382632

Title:
  Insecure key file permissions

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1382632/+subscriptions

More information about the Ubuntu-server-bugs mailing list