Page MenuHomeVyOS Platform

VyOS must not change permissions on files in /config/auth
Closed, ResolvedPublicBUG

Description

/config/auth is the location where sensitive private data is stored such as VPN private keys. I was very careful when setting up my keys inside /config/auth to ensure private keys were chowned and chmodded so that they were readable just by root, the vyattacfg group (necessary in order for the config scripts to verify correct key format) and not other-readable. I was very surprised today to find that during some process (possibly upgrading through 'add system image') all the files and directories in /config were changed to root:vyattacfg and mode 775. Not only is this very bad in terms of security as it exposes all keys in /auth to all users and processes on the system, it's also technically wrong as files shouldn't be executable unless they're executable programs or scripts. Files should be 660 or 664 at most.

It's very likely that either 'add system image' does a 'cp' without '-a', or something does a 'chown -R root:vyattacfg; chmod -R 775'.

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Internal change (not visible to end users)

Event Timeline

jjakob triaged this task as High priority.
jjakob created this object in space S1 VyOS Public.
syncer changed the subtype of this task from "Task" to "Bug".Sep 18 2020, 8:13 PM

I can confirm.
It happens after update procedure.

Before update

vyos@r4-roll:~$ ls -la  /config/auth/
total 12
drwxrwsr-x 2 root vyattacfg 4096 Oct 15 14:42 .
drwxrwsr-x 8 root vyattacfg 4096 Oct 15 14:41 ..
-rw------- 1 root vyattacfg  636 Oct 15 14:42 foo.key

After update

vyos@r4-roll:~$ sudo ls -la /config/auth/
total 12
drwxrwsr-x 2 root vyattacfg 4096 Oct 15 14:42 .
drwxrwxr-x 8 root vyattacfg 4096 Oct 15 15:00 ..
-rwxrwxr-x 1 root vyattacfg  636 Oct 15 14:42 foo.key

PR https://github.com/vyos/vyatta-cfg-system/pull/132

Original files and update

root@r5:/home/vyos# ls -la /config/auth/ovpn/
total 40
drwxrwsr-x 2 root vyattacfg 4096 Nov 23 19:16 .
drwxrwsr-x 3 root vyattacfg 4096 Nov 23 19:16 ..
-rw------- 1 root vyattacfg 4493 Nov 23 19:16 branch1.crt
-rw------- 1 root vyattacfg 1704 Nov 23 19:16 branch1.key
-rw------- 1 root vyattacfg 1204 Nov 23 19:16 ca.crt
-rw------- 1 root vyattacfg 4614 Nov 23 19:16 central.crt
-rw------- 1 root vyattacfg 1708 Nov 23 19:16 central.key
-rw------- 1 root vyattacfg  424 Nov 23 19:16 dh.pem

vyos@r5:~$ add system image https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
Trying to fetch ISO file from https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

Permissions after update

vyos@r5:~$ sudo ls -la /config/auth/ovpn/
total 40
drwxrwsr-x 2 root vyattacfg 4096 Nov 23 19:16 .
drwxrwsr-x 3 root vyattacfg 4096 Nov 23 19:16 ..
-rw------- 1 root vyattacfg 4493 Nov 23 19:16 branch1.crt
-rw------- 1 root vyattacfg 1704 Nov 23 19:16 branch1.key
-rw------- 1 root vyattacfg 1204 Nov 23 19:16 ca.crt
-rw------- 1 root vyattacfg 4614 Nov 23 19:16 central.crt
-rw------- 1 root vyattacfg 1708 Nov 23 19:16 central.key
-rw------- 1 root vyattacfg  424 Nov 23 19:16 dh.pem
vyos@r5:~$

Fixed.

Before update

vyos@r4:~$ ls -la /config/auth/
total 20
drwxrwsr-x 3 root vyattacfg 4096 Dec  1 10:19 .
drwxrwsr-x 8 root vyattacfg 4096 Nov 30 17:41 ..
-rw------- 1 root vyattacfg  636 Dec  1 10:19 bar.key
-rw------- 1 root vyattacfg  636 Dec  1 10:19 foo.key
drwxr-s--- 3 root vyattacfg 4096 Dec  1 10:19 wireguard
vyos@r4:~$ ls -la /config/auth/wireguard/
total 12
drwxr-s--- 3 root vyattacfg 4096 Dec  1 10:19 .
drwxrwsr-x 3 root vyattacfg 4096 Dec  1 10:19 ..
drwxr-s--- 2 root vyattacfg 4096 Dec  1 10:19 default
vyos@r4:~$

After

vyos@r4:~$ ls -la /config/auth/
total 20
drwxrwsr-x 3 root vyattacfg 4096 Dec  1 10:19 .
drwxrwxr-x 8 root vyattacfg 4096 Dec  1 10:22 ..
-rw------- 1 root vyattacfg  636 Dec  1 10:19 bar.key
-rw------- 1 root vyattacfg  636 Dec  1 10:19 foo.key
drwxr-s--- 3 root vyattacfg 4096 Dec  1 10:19 wireguard
vyos@r4:~$ 
vyos@r4:~$ ls -la /config/auth/wireguard/
total 12
drwxr-s--- 3 root vyattacfg 4096 Dec  1 10:19 .
drwxrwsr-x 3 root vyattacfg 4096 Dec  1 10:19 ..
drwxr-s--- 2 root vyattacfg 4096 Dec  1 10:19 default
vyos@r4:~$

I do not have sufficient rights to close this task.

c-po assigned this task to Viacheslav.
erkin set Issue type to Internal change (not visible to end users).Aug 29 2021, 1:48 PM
erkin removed a subscriber: Global Notifications.