[Bug 2052524] Re: INSECURE permissions for Ubuntu Netplan YAML on installer execution
Thomas Ward
2052524 at bugs.launchpad.net
Tue Feb 6 16:18:41 UTC 2024
** Description changed:
Currently, the Subiquity installer for 22.04 and Server images creates
00-installer-config.yaml in /etc/netplan/ with the permissions 644 and
ownership by root:root.
However, Ubuntu 22.04 now has version 0.106.1 backported via -updates
pocket. In netplan version 0.106.1, there is a requirement in the
system that the permissions for netplan YAMLs are insecure, and that the
files should not be readable by anyone. To that effect, the only
functionally acceptable permissions that DO NOT throw warnings are 600
on the netplan YAML files.
This is a bug in the Subiquity installer used for Server 22.04 and
others. This should likely be patched in Subiquity so that during the
process of installation, Netplan required permissions are respected **on
install** rather than allowing warnings to trigger after the fact and
create extra noise.
---
- This is flagged as a Security issue because it is in effect CVE-266
+ This is flagged as a Security issue because it is in effect CWE-266
(CWE-266: Incorrect Privilege Assignment) and should be considered a
security flaw, even if it's low-grade.
** Description changed:
Currently, the Subiquity installer for 22.04 and Server images creates
00-installer-config.yaml in /etc/netplan/ with the permissions 644 and
ownership by root:root.
However, Ubuntu 22.04 now has version 0.106.1 backported via -updates
pocket. In netplan version 0.106.1, there is a requirement in the
- system that the permissions for netplan YAMLs are insecure, and that the
- files should not be readable by anyone. To that effect, the only
- functionally acceptable permissions that DO NOT throw warnings are 600
- on the netplan YAML files.
+ system that the permissions for netplan YAMLs need to be more secure,
+ and that the files should not be readable by anyone. To that effect,
+ the only functionally acceptable permissions that DO NOT throw warnings
+ are 600 on the netplan YAML files.
This is a bug in the Subiquity installer used for Server 22.04 and
others. This should likely be patched in Subiquity so that during the
process of installation, Netplan required permissions are respected **on
install** rather than allowing warnings to trigger after the fact and
create extra noise.
---
This is flagged as a Security issue because it is in effect CWE-266
(CWE-266: Incorrect Privilege Assignment) and should be considered a
security flaw, even if it's low-grade.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2052524
Title:
INSECURE permissions for Ubuntu Netplan YAML on installer execution
Status in subiquity:
Triaged
Bug description:
Currently, the Subiquity installer for 22.04 and Server images creates
00-installer-config.yaml in /etc/netplan/ with the permissions 644 and
ownership by root:root.
However, Ubuntu 22.04 now has version 0.106.1 backported via -updates
pocket. In netplan version 0.106.1, there is a requirement in the
system that the permissions for netplan YAMLs need to be more secure,
and that the files should not be readable by anyone. To that effect,
the only functionally acceptable permissions that DO NOT throw
warnings are 600 on the netplan YAML files.
This is a bug in the Subiquity installer used for Server 22.04 and
others. This should likely be patched in Subiquity so that during the
process of installation, Netplan required permissions are respected
**on install** rather than allowing warnings to trigger after the fact
and create extra noise.
---
This is flagged as a Security issue because it is in effect CWE-266
(CWE-266: Incorrect Privilege Assignment) and should be considered a
security flaw, even if it's low-grade.
To manage notifications about this bug go to:
https://bugs.launchpad.net/subiquity/+bug/2052524/+subscriptions
More information about the foundations-bugs
mailing list