salt icon indicating copy to clipboard operation
salt copied to clipboard
verified publisher icon saltstack

[BUG] pkgrepo.managed saving keys in /usr/share/keyrings/ with too restrictive permissions on hardens systems.

Open sscotter opened this issue 1 year ago • 1 comments

Description When adding a repo using pkgrepo.managed the keys are being saved /usr/share/keyrings/ with too restrictive permissions on systems harden with a default UMASK of 077.

Setup (Please provide relevant configs and/or SLS files (be sure to remove sensitive info. There is no general set-up of Salt.)

Please be as specific as possible and give set-up details.

  • [ X ] on-prem machine
  • [ X ] VM (VMWare)
  • [ ] VM running on a cloud service, please be explicit and add details
  • [ ] container (Kubernetes, Docker, containerd, etc. please specify)
  • [ ] or a combination, please be explicit
  • [ ] jails if it is FreeBSD
  • [ ] classic packaging
  • [ X ] onedir packaging
  • [ ] used bootstrap to install

Steps to Reproduce the behavior I'm using the Microsoft Defender repo in my examples below, but it happens with all repo's we add.

Hardened environment by adding the following in /etc/login.defs.

UMASK 077

Unclear if a restart of the salt-minion and/or reboot of the system is required to take effect.

Execute a state file containing the following...

install_mdatp_repo:
  pkgrepo.managed:
  - aptkey: False
  - humanname: Microsoft Defender Repository
  - name: deb [arch=amd64,armhf,arm64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/{{ grains['os'] | lower }}/{{ grains['lsb_distrib_release'] }}/prod {{ grains['oscodename'] | lower }} main
  - dist: {{ grains['oscodename'] | lower }}
  - file: /etc/apt/sources.list.d/microsoft-prod.list
  - key_url: https://packages.microsoft.com/keys/microsoft.asc
  - refresh: true
  - refresh_db: true

This results in (among other things) two files being generated...

# ll /etc/apt/sources.list.d/microsoft-prod.list
-rw------- 1 root root 133 Jul 19 14:55 /etc/apt/sources.list.d/microsoft-prod.list

# # ll /usr/share/keyrings/microsoft.gpg
-rw-------   1 root root  641 Jul 19 14:55 microsoft.gpg

The restrictive permissions on /etc/apt/sources.list.d/microsoft-prod.list don't seem to cause any problems. I've been unable to find any recommended permissions for source files.

However, the restrictive permissions on /usr/share/keyrings/microsoft.gpg causes apt-get update to fail with the error...

Err:X https://packages.microsoft.com/ubuntu/22.04/prod jammy InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EB3E94ADBE1229CF

https://manpages.ubuntu.com/manpages/noble/en/man5/sources.list.5.html states that ...

keyring files have to be accessible and readable for the _apt system user, so ensure everyone has read-permissions on the file

Once I manually grant read access to the key for all users (chmod a+r /usr/share/keyrings/microsoft.gpg) I'm able at apt-get update without any errors,

# ll /usr/share/keyrings/microsoft.gpg
-rw-r--r-- 1 root root 641 Jul 19 14:55 /usr/share/keyrings/microsoft.gpg

Expected behaviour

Create key files with readable by all permissions.

# ll /usr/share/keyrings/microsoft.gpg
-rw-r--r-- 1 root root 641 Jul 19 14:55 /usr/share/keyrings/microsoft.gpg

Versions Report

salt --versions-report 

Salt Version:
          Salt: 3007.1

Python Version:
        Python: 3.10.14 (main, Apr  3 2024, 21:30:09) [GCC 11.2.0]

Dependency Versions:
          cffi: 1.16.0
      cherrypy: 18.8.0
      dateutil: 2.8.2
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.4
       libgit2: Not Installed
  looseversion: 1.3.0
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.7
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 23.1
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.19.1
        pygit2: Not Installed
  python-gnupg: 0.5.2
        PyYAML: 6.0.1
         PyZMQ: 25.1.2
        relenv: 0.16.0
         smmap: Not Installed
       timelib: 0.3.0
       Tornado: 6.3.3
           ZMQ: 4.3.4

Salt Package Information:
  Package Type: onedir

System Versions:
          dist: ubuntu 22.04.4 jammy
        locale: utf-8
       machine: x86_64
       release: 5.15.0-116-generic
        system: Linux
       version: Ubuntu 22.04.4 jammy

sscotter avatar Jul 19 '24 14:07 sscotter

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey. Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. If you have additional questions, email us at [email protected]. We’re glad you’ve joined our community and look forward to doing awesome things with you!

welcome[bot] avatar Jul 19 '24 14:07 welcome[bot]