[Bug 1904580] Re: Permissions 0644 for '/var/lib/nova/.ssh/id_rsa' are too open

James Page 1904580 at bugs.launchpad.net
Mon Jul 8 13:06:33 UTC 2024 

This bug was fixed in the package nova - 3:25.2.1-0ubuntu2.3~cloud0
---------------

 nova (3:25.2.1-0ubuntu2.3~cloud0) focal; urgency=medium
 .
   * SECURITY UPDATE for Ubuntu Cloud Archive. backport to focal.
 .
 nova (3:25.2.1-0ubuntu2.3) jammy-security; urgency=medium
 .
   * SECURITY UPDATE: Arbitrary file access via custom QCOW2 external data
     (LP: #2059809)
     - debian/patches/CVE-2024-32498-pre1.patch: consolidate
       create_cow_image and create_image.
     - debian/patches/CVE-2024-32498-1.patch: reject qcow files with
       data-file attributes.
     - debian/patches/CVE-2024-32498-2.patch: check images with
       format_inspector for safety.
     - debian/patches/CVE-2024-32498-3.patch: additional qemu safety
       checking on base images.
     - debian/patches/CVE-2024-32498-4.patch: fix vmdk_allowed_types
       checking.
     - CVE-2024-32498
 .
 nova (3:25.2.1-0ubuntu2) jammy; urgency=medium
 .
   * d/p/libvirt-remove-default-cputune-shares-value.patch:
     Enable launch of instances with more than 9 CPUs on Jammy
     (LP: #1978489).
 .
 nova (3:25.2.1-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2037332).
 .
 nova (3:25.2.0-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2025503).
   * d/p/CVE-2023-2088-*.patch: Dropped. Fixed in point release.
 .
 nova (3:25.1.1-0ubuntu1.1) jammy-security; urgency=medium
 .
   * SECURITY UPDATE: Unauthorized File Access (LP: #2021980)
     - debian/patches/CVE-2023-2088-1.patch: Use force=True for os-brick
       disconnect during delete.
     - debian/patches/CVE-2023-2088-2.patch: Enable use of service user
       token with admin context.
     - CVE-2023-2088
 .
 nova (3:25.1.1-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2019759).
   * d/p/ignore-deleted-server-groups-in-validation.patch: Dropped. Fixed
     in stable point release.
 .
 nova (3:25.1.0-0ubuntu2.2) jammy-security; urgency=medium
 .
   * SECURITY REGRESSION: Regressions in other projects (LP: #2020111)
     - debian/patches/series: Do not apply CVE-2023-2088.patch until
       patches are ready for all upstream OpenStack projects.
     - CVE-2023-2088
 .
 nova (3:25.1.0-0ubuntu2.1) jammy-security; urgency=medium
 .
   * SECURITY UPDATE: Unauthorized File Access
     - debian/patches/CVE-2023-2088.patch: Use force=True for os-brick
       disconnect during delete.
     - CVE-2023-2088
 .
 nova (3:25.1.0-0ubuntu2) jammy; urgency=medium
 .
   * Backport fix to ignore deleted server groups (LP: #1890244)
     d/p/ignore-deleted-server-groups-in-validation.patch
 .
 nova (3:25.1.0-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #2004030).
 .
 nova (3:25.0.1-0ubuntu1) jammy; urgency=medium
 .
   * New stable point release for OpenStack Yoga (LP: #1980369).
 .
 nova (3:25.0.0-0ubuntu1.1) jammy; urgency=medium
 .
   [ Corey Bryant ]
   * d/gbp.conf: Create stable/yoga branch.
 .
   [ Felipe Reyes ]
   * d/nova-common.postinst: Don't change file permissions under
     /var/lib/nova/.ssh (LP: #1904580).
 .
 nova (3:25.0.0-0ubuntu1) jammy; urgency=medium
 .
   * d/watch: Scope to 25.x series
   * New upstream release for OpenStack Yoga.
 .
 nova (3:24.0.0+git2022030310.3f274c65cc-0ubuntu2) jammy; urgency=medium
 .
   * d/control: Drop min version of python3-testtools to 2.4.0.
 .
 nova (3:24.0.0+git2022030310.3f274c65cc-0ubuntu1) jammy; urgency=medium
 .
   * New upstream snapshot for OpenStack Yoga.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:24.0.0+git2022011217.ea3945f71c-0ubuntu1) jammy; urgency=medium
 .
   * New upstream snapshot for OpenStack Yoga.
   * d/control, d/rules: Bump debhelper compat to 13.
 .
 nova (3:24.0.0+git2021120815.755aa11e0c-0ubuntu1) jammy; urgency=medium
 .
   * New upstream snapshot for OpenStack Yoga.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:24.0.0-0ubuntu1) impish; urgency=medium
 .
   * d/watch: Scope to 24.x series
   * New upstream release for OpenStack Xena.
 .
 nova (3:23.0.2+git2021090912.edaaa97d99-0ubuntu1) impish; urgency=medium
 .
   * New upstream snapshot for OpenStack Xena.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/arm-console-patch.patch: Rebased.
 .
 nova (3:23.0.2+git2021072117.3545356ae3-0ubuntu1) impish; urgency=medium
 .
   * New upstream snapshot for OpenStack Xena.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:23.0.1+git2021061405.052cf96358-0ubuntu2) impish; urgency=medium
 .
   * d/nova-compute-ironic.conf: Use the correct compute_driver for
     ironic (LP: #1934533).
   * d/t/nova-compute-daemons: Add nova-compute-ironic to test.
 .
 nova (3:23.0.1+git2021061405.052cf96358-0ubuntu1) impish; urgency=medium
 .
   * New upstream snapshot for OpenStack Xena.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:23.0.0-0ubuntu1) hirsute; urgency=medium
 .
   * New upstream release for OpenStack Wallaby.
 .
 nova (3:23.0.0~rc2-0ubuntu1) hirsute; urgency=medium
 .
   * New upstream release candidate for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:23.0.0~rc1-0ubuntu1) hirsute; urgency=medium
 .
   * d/control: Remove unnecessary dh-systemd Build-Depend
   * d/watch: Scope to 23.x series
   * New upstream release candidate for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:22.1.0+git2021030407.0226f9dd63-0ubuntu1) hirsute; urgency=medium
 .
   * New upstream snapshot for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (3:22.0.1+git2021012713.d92c0740c6-0ubuntu1) hirsute; urgency=medium
 .
   [ Corey Bryant ]
   * d/control: Drop mox3 inline with upstream.
 .
   [ Chris MacNaughton ]
   * New upstream snapshot for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/arm-console-patch.patch: Refreshed.
 .
 nova (3:22.0.1+git2020121010.3a6c1cbc3a-0ubuntu1) hirsute; urgency=medium
 .
   * Increment epoch to align with new snapshot plan.
   * New upstream snapshot for OpenStack Wallaby.
 .
 nova (2:23.0.0~b1~git2020120312.f0efcae697-0ubuntu2) hirsute; urgency=medium
 .
   * New upstream snapshot for OpenStack Wallaby.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (2:22.0.0-0ubuntu1) groovy; urgency=medium
 .
   * New upstream release for OpenStack Victoria.
 .
 nova (2:22.0.0~rc1-0ubuntu1) groovy; urgency=medium
 .
   [ Chris MacNaughton ]
   * d/control: Update VCS paths for move to lp:~ubuntu-openstack-dev.
   * d/watch: Scope to 22.x series.
 .
   [ Corey Bryant ]
   * New upstream release candidate for OpenStack Victoria.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (2:22.0.0~b3~git2020091410.76b2fbd90e-0ubuntu3) groovy; urgency=medium
 .
   * d/nova-compute-libvirt.postinst: Ensure libvirt-qemu user is removed
     from nova group on package upgrade (LP: #1896617).
 .
 nova (2:22.0.0~b3~git2020091410.76b2fbd90e-0ubuntu2) groovy; urgency=medium
 .
   * d/nova-compute-libvirt.postinst: Drop libvirt-qemu user from nova group.
     This is no longer needed with recent /var/lib/nova permission changes and
     causes live snapshots to fail (LP: #1896617).
 .
 nova (2:22.0.0~b3~git2020091410.76b2fbd90e-0ubuntu1) groovy; urgency=medium
 .
   * New upstream snapshot for OpenStack Victoria.
   * d/control: Align (Build-)Depends with upstream.
 .
 nova (2:22.0.0~b2~git2020073014.2f3a380c3c-0ubuntu2) groovy; urgency=medium
 .
   [ Chris MacNaughton ]
   * d/control: Remove Breaks/Replaces that are older than Focal (LP: #1878419).
 .
   [ Corey Bryant ]
   * d/control, d/nova-compute-ironic.conf, d/rules: Add nova-compute-ironic
     binary package.
 .
 nova (2:22.0.0~b2~git2020073014.2f3a380c3c-0ubuntu1) groovy; urgency=medium
 .
   * New upstream snapshot for OpenStack Victoria.
   * d/control: Drop min version of openstack-pkg-tools.
   * d/control: Update Standards-Version to 4.5.0.
 .
 nova (2:22.0.0~b1~git2020070713.bc784a1c1f-0ubuntu1) groovy; urgency=medium
 .
   * New upstream snapshot for OpenStack Victoria.
   * d/control: Align (Build-)Depends with upstream.
   * d/p/add-mysql8-compatibility.patch: Removed. Change landed upstream.
   * d/p/arm-console-patch.patch: Refreshed.
   * d/p/drop-sphinxcontrib-rsvgconverter.patch: Refreshed

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1904580

Title:
  Permissions 0644 for '/var/lib/nova/.ssh/id_rsa' are too open

Status in OpenStack Nova Compute Charm:
  Invalid
Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive ussuri series:
  Fix Released
Status in Ubuntu Cloud Archive victoria series:
  Fix Released
Status in Ubuntu Cloud Archive wallaby series:
  Fix Released
Status in Ubuntu Cloud Archive xena series:
  Fix Released
Status in Ubuntu Cloud Archive yoga series:
  Fix Released
Status in Ubuntu Cloud Archive zed series:
  Fix Released
Status in nova package in Ubuntu:
  Fix Released
Status in nova source package in Focal:
  Fix Released
Status in nova source package in Impish:
  Won't Fix
Status in nova source package in Jammy:
  Fix Released
Status in nova source package in Kinetic:
  Fix Released

Bug description:
  [Impact]
  Charm revision: 320
  Cloud: bionic-ussuri

  Permissions 0644 for '/var/lib/nova/.ssh/id_rsa' are too open.
  Load key "/var/lib/nova/.ssh/id_rsa": bad permissions
  nova at 10.35.80.49: Permission denied (publickey).

  This was preventing nova resizing:

  /var/log/nova/nova-compute.log:2020-11-17 13:14:42.210 100221 ERROR
  oslo_messaging.rpc.server Command: ssh -o BatchMode=yes 10.35.80.49
  mkdir -p /var/lib/nova/instances/39caee98-b81c-4cef-9810-815f2ecf1fc4

  Manually setting to 0600 fixed the issue.

  Note (coreycb): It's important to note that /var/lib/nova/.ssh/ and
  files contained in that directory are not created by the package.
  Therefore the package should avoid changing permissions for this
  directory.

  [Test Case]
  Install a previous version of the nova-common package.
  Setup ssh as described here (at least the creation of /var/lib/nova/.ssh/ files and chmod accordingly): https://docs.openstack.org/nova/pike/admin/ssh-configuration.html
  Upgrade to the patched version of nova-common and confirm the /var/lib/nova/.ssh/ directory/file modes haven't changed.

  [Regression Potential]
  This is actually fixing a regression that was introduced to the package when we introduced the postinst code that does a blanket chmod to all of /var/lib/nova/. Assuming the test case above passes, I can't see any way for this to cause another regression.

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-nova-compute/+bug/1904580/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list