diff mbox series

guestfs: ensure right permissions for ssh config

Message ID 20250325-fix-ssh-guestfs-permissions-v1-1-d4b7a4b61a96@samsung.com (mailing list archive)
State New
Headers show
Series guestfs: ensure right permissions for ssh config | expand

Commit Message

Daniel Gomez March 25, 2025, 1:43 p.m. UTC 
From: Daniel Gomez <da.gomez@samsung.com>

Ensure right permissions are set for the ~/.ssh/config_kdevops_* and
~/.ssh/config files.

From man 5 ssh_config:
FILES
       ~/.ssh/config
               This is the per-user configuration file.  The format
of this file is described above.  This file is used by the SSH client.
Because of the potential for abuse, this file must have  strict
permissions:  read/write  for  the
               user, and not writable by others.  It may be
group-writable provided that the group in question contains only the
user.

Fixes 'make bringup' ssh error:

TASK [update_ssh_config_guestfs : Check if the new
include directive was used with a kdevops_version comment]

PLAY RECAP
localhost                  : ok=4    changed=0    unreachable=0
failed=0    skipped=0    rescued=0    ignored=0

dagomez | FAILED! => {
    "changed": false,
    "elapsed": 600,
    "msg": "timed out waiting for ping module test: Failed
to connect to the host via ssh: Bad owner or permissions on
/home/dagomez/.ssh/config_kdevops_e1093bd8286b279a4838c0b4bb570d04907f43
b70e73a0badc6f3271e5790209"
}
make: *** [scripts/guestfs.Makefile:67: .provisioned_once_ssh] Error 2

stat -c '%a' \
~/.ssh/config_kdevops_e1093bd8286b279a4838c0b4bb570d04907f43b70e73a0badc
6f3271e5790209
664

stat -c '%a' ~/.ssh/
700

stat -c '%a' ~/.ssh/config
600

Signed-off-by: Daniel Gomez <da.gomez@samsung.com>
---
 playbooks/roles/update_ssh_config_guestfs/tasks/main.yml | 8 ++++++++
 scripts/update_ssh_config_guestfs.py                     | 1 +
 2 files changed, 9 insertions(+)


---
base-commit: 0e172a81d61c1ae53c7b6a5b652e1607b53f13c5
change-id: 20250325-fix-ssh-guestfs-permissions-b4d89014c8ea

Best regards,

Comments

Luis Chamberlain March 29, 2025, 9:56 p.m. UTC | #1 
On Tue, Mar 25, 2025 at 01:43:36PM +0000, Daniel Gomez wrote:
> From: Daniel Gomez <da.gomez@samsung.com>
> 

Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>

  Luis
diff mbox series

Patch

diff --git a/playbooks/roles/update_ssh_config_guestfs/tasks/main.yml b/playbooks/roles/update_ssh_config_guestfs/tasks/main.yml
index 98c86f1646122c16169fcc58f0ce9a447e444d15..0e728d9a84996dce592465c6f2fa2d16b62ae963 100644
--- a/playbooks/roles/update_ssh_config_guestfs/tasks/main.yml
+++ b/playbooks/roles/update_ssh_config_guestfs/tasks/main.yml
@@ -69,3 +69,11 @@ 
     create: true
     block: |
       Include ~/.ssh/config_kdevops_*
+
+- name: Ensure ~/.ssh/config permissions
+  become: true
+  become_flags: 'su - -c'
+  become_method: ansible.builtin.sudo
+  ansible.builtin.file:
+    path: ~/.ssh/config
+    mode: "0600"
diff --git a/scripts/update_ssh_config_guestfs.py b/scripts/update_ssh_config_guestfs.py
index 6269507970fbef75e4631034182018ca5db40c9f..4d178d498f0401a83e1a3aeb3f5fd329a6f7fbaa 100755
--- a/scripts/update_ssh_config_guestfs.py
+++ b/scripts/update_ssh_config_guestfs.py
@@ -92,6 +92,7 @@  def main():
         }
         sshconf.write(ssh_template.format(**context))
     sshconf.close()
+    os.chmod(ssh_config, 0o600)
 
 if __name__ == "__main__":
     main()