From patchwork Tue Mar 25 13:43:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Gomez X-Patchwork-Id: 14029058 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 68288502BE for ; Tue, 25 Mar 2025 13:43:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742910235; cv=none; b=M73SF2j+hQj7gO9aUDc74taGyf8n/B/vsk43nHw5Bf0YpP7i2/50rCccmsz1qrfxE6BMyMUuWLi7ln77aoRiVPEN5/O06UoozRfDvPt33B5AOT+7SqgRXDXZ99122LXnzpCzmA/36qxkFE2Vsji8YpaimhakRtLT24QJk0iVhNY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742910235; c=relaxed/simple; bh=Y4ZOp2ETPbg34y5QfNut1nCCzGPNEGH7DC8NnnE3bZc=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=jTdglA3Clcle2AGINZgp6WC1mskRY64SJv6atNTC5DsCC3Bz5IPRxjICtoPNvGWITX5mx0MxUobra1KcuXw1e8jdQdmNr4U9A1PnJjnbE2BcmyukaeKLyiJrTKjkVzHznBSRI2j1CrnQiziKPccyk1TRVuA7HcszC41i7DNjOy8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=PBkIDHOi; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="PBkIDHOi" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 04867C4CEE9; Tue, 25 Mar 2025 13:43:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1742910233; bh=Y4ZOp2ETPbg34y5QfNut1nCCzGPNEGH7DC8NnnE3bZc=; h=From:Date:Subject:To:Cc:From; b=PBkIDHOid4A4KJtIqZNWaUFuvt0LriwAdnk9DKx0segRRMyQHsjTVB09Xw5jyYcg5 ACmOta6PI7GsZQG21HoS0bN/nPK73aIC0Zz5JYXuiE/86/spQotavnHiscZABvtwqu nJQeaIad63ihPLhVL5G5Q731Z0kAMvhZFJ1u3gZPF8sLsllnfg5DYcqqpL9HuhDHXj HZ/QGt6sBQqrtpC4VLcQZg/cHJtoeNzG9Wyfou7H9nEZ9nrCiy2BRSucW/5LZVBFNk 58DszTIDPfaR0vmN0rjdO8A4Sq3Rz5XhkH2h1lL0JOKfBCsWOhkd4ksjARgSB67X9K zvrE7QVjO2Hkg== From: Daniel Gomez Date: Tue, 25 Mar 2025 13:43:36 +0000 Subject: [PATCH] guestfs: ensure right permissions for ssh config Precedence: bulk X-Mailing-List: kdevops@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-Id: <20250325-fix-ssh-guestfs-permissions-v1-1-d4b7a4b61a96@samsung.com> X-B4-Tracking: v=1; b=H4sIAAez4mcC/x2MSw5AQBAFryK91skYJLiKWAwavfDJPEQi7m5YV lJVN0G8CqiKbvJyKnRdAiRxRN3kllFY+8Bkjc1NanMe9GJg4vEQ7AN4Ez8rvgzcZn1RmiTrCnE UDpuXoP/3unmeF0jyH+ZtAAAA X-Change-ID: 20250325-fix-ssh-guestfs-permissions-b4d89014c8ea To: Luis Chamberlain Cc: kdevops@lists.linux.dev, Daniel Gomez , Daniel Gomez X-Mailer: b4 0.14.2 From: Daniel Gomez Ensure right permissions are set for the ~/.ssh/config_kdevops_* and ~/.ssh/config files. From man 5 ssh_config: FILES ~/.ssh/config This is the per-user configuration file. The format of this file is described above. This file is used by the SSH client. Because of the potential for abuse, this file must have strict permissions: read/write for the user, and not writable by others. It may be group-writable provided that the group in question contains only the user. Fixes 'make bringup' ssh error: TASK [update_ssh_config_guestfs : Check if the new include directive was used with a kdevops_version comment] PLAY RECAP localhost : ok=4 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 dagomez | FAILED! => { "changed": false, "elapsed": 600, "msg": "timed out waiting for ping module test: Failed to connect to the host via ssh: Bad owner or permissions on /home/dagomez/.ssh/config_kdevops_e1093bd8286b279a4838c0b4bb570d04907f43 b70e73a0badc6f3271e5790209" } make: *** [scripts/guestfs.Makefile:67: .provisioned_once_ssh] Error 2 stat -c '%a' \ ~/.ssh/config_kdevops_e1093bd8286b279a4838c0b4bb570d04907f43b70e73a0badc 6f3271e5790209 664 stat -c '%a' ~/.ssh/ 700 stat -c '%a' ~/.ssh/config 600 Signed-off-by: Daniel Gomez Reviewed-by: Luis Chamberlain --- playbooks/roles/update_ssh_config_guestfs/tasks/main.yml | 8 ++++++++ scripts/update_ssh_config_guestfs.py | 1 + 2 files changed, 9 insertions(+) --- base-commit: 0e172a81d61c1ae53c7b6a5b652e1607b53f13c5 change-id: 20250325-fix-ssh-guestfs-permissions-b4d89014c8ea Best regards, diff --git a/playbooks/roles/update_ssh_config_guestfs/tasks/main.yml b/playbooks/roles/update_ssh_config_guestfs/tasks/main.yml index 98c86f1646122c16169fcc58f0ce9a447e444d15..0e728d9a84996dce592465c6f2fa2d16b62ae963 100644 --- a/playbooks/roles/update_ssh_config_guestfs/tasks/main.yml +++ b/playbooks/roles/update_ssh_config_guestfs/tasks/main.yml @@ -69,3 +69,11 @@ create: true block: | Include ~/.ssh/config_kdevops_* + +- name: Ensure ~/.ssh/config permissions + become: true + become_flags: 'su - -c' + become_method: ansible.builtin.sudo + ansible.builtin.file: + path: ~/.ssh/config + mode: "0600" diff --git a/scripts/update_ssh_config_guestfs.py b/scripts/update_ssh_config_guestfs.py index 6269507970fbef75e4631034182018ca5db40c9f..4d178d498f0401a83e1a3aeb3f5fd329a6f7fbaa 100755 --- a/scripts/update_ssh_config_guestfs.py +++ b/scripts/update_ssh_config_guestfs.py @@ -92,6 +92,7 @@ def main(): } sshconf.write(ssh_template.format(**context)) sshconf.close() + os.chmod(ssh_config, 0o600) if __name__ == "__main__": main()