Page MenuHomeVyOS Platform
Create Task
Maniphest T2713

VyOS must not change permissions on files in /config/auth
Closed, ResolvedPublicBUG
Actions

Description

/config/auth is the location where sensitive private data is stored such as VPN private keys. I was very careful when setting up my keys inside /config/auth to ensure private keys were chowned and chmodded so that they were readable just by root, the vyattacfg group (necessary in order for the config scripts to verify correct key format) and not other-readable. I was very surprised today to find that during some process (possibly upgrading through 'add system image') all the files and directories in /config were changed to root:vyattacfg and mode 775. Not only is this very bad in terms of security as it exposes all keys in /auth to all users and processes on the system, it's also technically wrong as files shouldn't be executable unless they're executable programs or scripts. Files should be 660 or 664 at most.

It's very likely that either 'add system image' does a 'cp' without '-a', or something does a 'chown -R root:vyattacfg; chmod -R 775'.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Internal change (not visible to end users)

Event Timeline

jjakob triaged this task as High priority.Jul 19 2020, 11:49 AM
jjakob created this task.
jjakob created this object in space S1 VyOS Public.
jack9603301 added a subscriber: jack9603301.Jul 19 2020, 12:05 PM
pasik added a subscriber: pasik.Jul 20 2020, 6:41 PM
syncer changed the subtype of this task from "Task" to "Bug".Sep 18 2020, 8:13 PM
Viacheslav added a subscriber: Viacheslav.Oct 15 2020, 12:03 PM

I can confirm.
It happens after update procedure.

Before update

vyos@r4-roll:~$ ls -la  /config/auth/
total 12
drwxrwsr-x 2 root vyattacfg 4096 Oct 15 14:42 .
drwxrwsr-x 8 root vyattacfg 4096 Oct 15 14:41 ..
-rw------- 1 root vyattacfg  636 Oct 15 14:42 foo.key

After update

vyos@r4-roll:~$ sudo ls -la /config/auth/
total 12
drwxrwsr-x 2 root vyattacfg 4096 Oct 15 14:42 .
drwxrwxr-x 8 root vyattacfg 4096 Oct 15 15:00 ..
-rwxrwxr-x 1 root vyattacfg  636 Oct 15 14:42 foo.key
Viacheslav added a comment.Nov 27 2020, 9:09 AM

This probably happens at this stage.
https://github.com/vyos/vyatta-cfg-system/blob/current/scripts/install/install-image-existing#L217-L224

Viacheslav added a comment.Nov 27 2020, 3:00 PM

PR https://github.com/vyos/vyatta-cfg-system/pull/132

Original files and update

root@r5:/home/vyos# ls -la /config/auth/ovpn/
total 40
drwxrwsr-x 2 root vyattacfg 4096 Nov 23 19:16 .
drwxrwsr-x 3 root vyattacfg 4096 Nov 23 19:16 ..
-rw------- 1 root vyattacfg 4493 Nov 23 19:16 branch1.crt
-rw------- 1 root vyattacfg 1704 Nov 23 19:16 branch1.key
-rw------- 1 root vyattacfg 1204 Nov 23 19:16 ca.crt
-rw------- 1 root vyattacfg 4614 Nov 23 19:16 central.crt
-rw------- 1 root vyattacfg 1708 Nov 23 19:16 central.key
-rw------- 1 root vyattacfg  424 Nov 23 19:16 dh.pem

vyos@r5:~$ add system image https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
Trying to fetch ISO file from https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

Permissions after update

vyos@r5:~$ sudo ls -la /config/auth/ovpn/
total 40
drwxrwsr-x 2 root vyattacfg 4096 Nov 23 19:16 .
drwxrwsr-x 3 root vyattacfg 4096 Nov 23 19:16 ..
-rw------- 1 root vyattacfg 4493 Nov 23 19:16 branch1.crt
-rw------- 1 root vyattacfg 1704 Nov 23 19:16 branch1.key
-rw------- 1 root vyattacfg 1204 Nov 23 19:16 ca.crt
-rw------- 1 root vyattacfg 4614 Nov 23 19:16 central.crt
-rw------- 1 root vyattacfg 1708 Nov 23 19:16 central.key
-rw------- 1 root vyattacfg  424 Nov 23 19:16 dh.pem
vyos@r5:~$
Viacheslav added a comment.Nov 28 2020, 10:41 AM

@jjakob can you check the latest rolling?

Viacheslav added a comment.Dec 1 2020, 8:28 AM

Fixed.

Before update

vyos@r4:~$ ls -la /config/auth/
total 20
drwxrwsr-x 3 root vyattacfg 4096 Dec  1 10:19 .
drwxrwsr-x 8 root vyattacfg 4096 Nov 30 17:41 ..
-rw------- 1 root vyattacfg  636 Dec  1 10:19 bar.key
-rw------- 1 root vyattacfg  636 Dec  1 10:19 foo.key
drwxr-s--- 3 root vyattacfg 4096 Dec  1 10:19 wireguard
vyos@r4:~$ ls -la /config/auth/wireguard/
total 12
drwxr-s--- 3 root vyattacfg 4096 Dec  1 10:19 .
drwxrwsr-x 3 root vyattacfg 4096 Dec  1 10:19 ..
drwxr-s--- 2 root vyattacfg 4096 Dec  1 10:19 default
vyos@r4:~$

After

vyos@r4:~$ ls -la /config/auth/
total 20
drwxrwsr-x 3 root vyattacfg 4096 Dec  1 10:19 .
drwxrwxr-x 8 root vyattacfg 4096 Dec  1 10:22 ..
-rw------- 1 root vyattacfg  636 Dec  1 10:19 bar.key
-rw------- 1 root vyattacfg  636 Dec  1 10:19 foo.key
drwxr-s--- 3 root vyattacfg 4096 Dec  1 10:19 wireguard
vyos@r4:~$ 
vyos@r4:~$ ls -la /config/auth/wireguard/
total 12
drwxr-s--- 3 root vyattacfg 4096 Dec  1 10:19 .
drwxrwsr-x 3 root vyattacfg 4096 Dec  1 10:19 ..
drwxr-s--- 2 root vyattacfg 4096 Dec  1 10:19 default
vyos@r4:~$

I do not have sufficient rights to close this task.

c-po closed this task as Resolved.Dec 1 2020, 1:22 PM
c-po assigned this task to Viacheslav.
erkin set Issue type to Internal change (not visible to end users).Aug 29 2021, 1:48 PM
erkin removed a subscriber: Active contributors.
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Nov 6 2021, 12:21 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 29 2022, 12:16 PM
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.