I am using the Fedora-Cloud-Base-Vagrant-libvirt vagrant box from https://download.fedoraproject.org/pub/fedora/linux/releases/40/Cloud/x86_64/images/Fedora-Cloud-Base-Vagrant-libvirt.x86_64-40-1.14.vagrant.libvirt.box
With this box, the / directory has wrong permissions and this breaks ssh authentication when IPA is installed (see https://pagure.io/freeipa/issue/9607). IPA client configures /etc/ssh/sshd_config/04-ipa.conf with AuthorizedKeysCommand = "/usr/bin/sss_ssh_authorizedkeys" and this requires all directories containing the executable to be not writable by group or others. From the man page of sshd_config:
AuthorizedKeysCommand = "/usr/bin/sss_ssh_authorizedkeys"
AuthorizedKeysCommand Specifies a program to be used to look up the user’s public keys. The program must be owned by root, not writable by group or others and specified by an absolute path.
With the vagrant image, / is writable by group:
[vagrant@localhost ~]$ ls -ld / drwxrwxr-x. 1 root root 226 Jun 25 09:38 /
The fedora 39 box (and previous versions) did not show this issue, they had / with rwxr-xr-x permission.
Can you update the box so that / is not writable by group or other?
Metadata Update from @davdunc: - Issue assigned to davdunc
I will update the box.
Metadata Update from @davdunc: - Issue tagged with: meeting
going to get some advice from @schaefi about this with @ngompa
ping @osinside
Hmm, the permission bits of (/) are set by the code that creates the new root dir. In kiwi this looks like this:
build_dir = os.sep.join([abs_target_dir_path, 'build']) image_root = os.sep.join([build_dir, 'image-root']) Path.create(build_dir)
Path.create is implemented as
if not os.path.exists(path): Command.run( ['mkdir', '-p', path] )
This means in the log of the build you should see that mkdir call and the respective permission bits are defined by the umask settings of the build host.
My first guess is that the host configuration causes the permissions to be set as you see them
@davdunc and @ngompa are working on this upstream. Actioned in Aug, 29, 2024 Cloud WG Matrix meeting.
Removing the meeting tag., but I need @ngompa to confirm this was fixed in a recent update.
Log in to comment on this ticket.