Insecure key file permissions

The secret_key file is created when python manage.py collectstatic is run, it seems.

We have two packages that run this command in postinst: openstack-dashboard-ubuntu-theme and openstack-dashboard. In this scenario, -ubuntu-theme is installed first. It runs that command in postinst, the file is created, and apparently with the incorrect permissions: 0644

Then openstack-dashboard runs it again, and this time the secret_key file already exists, and it complains about the incorrect permissions.

Status changed to 'Confirmed' because the bug affects multiple users.

I don't think the ordering of the package installs are important. They run the same command. The problem seem to be that the code that creates the secret key doesn't create it with the right permissions. The current code in horizon/utils/secret_key.py does this:

            old_umask = os.umask(0o177) # Use '0600' file permissions
            with open(key_file, 'w') as f:
                f.write(key)
            os.umask(old_umask)

That doesn't work on the systems we're installing to. It works if I change the code to:

            with open(key_file, 'w') as f:
                os.chmod(key_file, 0o600)
                f.write(key)

Of course the problem isn't that it is run twice :) I said above that in the first run the file is created with the incorrect permissions, and then the second run barfs at that :)

The system where we saw this bug uses file system ACLs, with defauls, and thus the umask is ignored:

ubuntu@juju-machine-0-lxc-5:/var/lib/openstack-dashboard$ getfacl .
# file: .
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::r-x

To clarify, I see the same behavior on bare metal, deploying machines with MAAS using the fast-path installer, so it's not LXC-specific.

This ends up being a regression of the curtin changes in bug 1313550.
curtin is extracting a tarball with '--xattrs --xattrs-include=* --acl'.

Its the '--acl' that is problematic.

Even though the tarball being extracted did not have acl stored in it tar creates default acl on extraction.

The simplist fix is to for us to remove '--acl' from curtin's extraction parameters.
http://bazaar.launchpad.net/~curtin-dev/curtin/trunk/view/head:/curtin/commands/extract.py

This change can be made locally on the maas region controller in the installed 'python-curtin' package.

fixed in revno 194 of trunk.

How do we get this on trusty? Or the MAAS PPA perhaps?

This bug was fixed in the package curtin - 0.1.0~bzr195-0ubuntu1

---------------
curtin (0.1.0~bzr195-0ubuntu1) vivid; urgency=medium

  * New upstream snapshot.
    * move install log from /var/log/curtin_install.log to
      /var/log/curtin/install.log (LP: #1378910)
    * to not use '--acl' when extracting tar files (LP: #1382632)
      as it inadvertently writes default directory acls.
    * invoke lsblk with '--output' rather than '--out' to avoid
      ambiguity in newer versions of lsblk (LP: #1386275)
 -- Scott Moser <email address hidden> Mon, 27 Oct 2014 12:25:27 -0400

Hello Andreas, or anyone else affected,

Accepted curtin into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/curtin/0.1.0~bzr195-0ubuntu1~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Andreas, or anyone else affected,

Accepted curtin into utopic-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/curtin/0.1.0~bzr195-0ubuntu1~14.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

This has been tested and works as expected!

This bug was fixed in the package curtin - 0.1.0~bzr195-0ubuntu1~14.10.1

---------------
curtin (0.1.0~bzr195-0ubuntu1~14.10.1) utopic-proposed; urgency=medium

  * New upstream snapshot / sync to vivid version.
    - move install log from /var/log/curtin_install.log to
      /var/log/curtin/install.log (LP: #1378910)
    - to not use '--acl' when extracting tar files (LP: #1382632)
      as it inadvertently writes default directory acls.
    - invoke lsblk with '--output' rather than '--out' to avoid
      ambiguity in newer versions of lsblk (LP: #1386275)
 -- Scott Moser <email address hidden> Mon, 27 Oct 2014 13:08:50 -0400

The verification of the Stable Release Update for curtin has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package curtin - 0.1.0~bzr195-0ubuntu1~14.04.1

---------------
curtin (0.1.0~bzr195-0ubuntu1~14.04.1) trusty-proposed; urgency=medium

  * New upstream snapshot.
    - hardware enablement: ppc64 support (LP: #1386394)
    - hardware enablement: know kernel mapping for utopic (hwe-u = 3.16)
      (LP: #1386394)
    - feature: support installing disk images including windows. (LP: #1386394)
    - feature: support creating swap file (LP: #1386394)
    - feature: support reporting logs back to MAAS (LP: #1386394)
    - feature: enable logging of installation to /var/log/curtin/install.log
      (LP: #1378910)
    - bug fix: extract tar files with xattr support when available (LP: #1313550)
    - bug fix: fix broken use of os.path.join for curtin hooks (LP: #1328521)
    - bug fix: util.subp to decode command output as utf-8 (LP: #1370249).
    - bug fix: call update-grub to ensure that /boot/grub/grub.cfg is created
      (LP: #1373137)
    - bug fix: do not use '--acl' when extracting tar files (LP: #1382632)
      as it inadvertently writes default directory acls.
    - bug fix: invoke lsblk with '--output' rather than '--out' to avoid
      ambiguity in newer versions of lsblk (LP: #1386275)
    - internal: part2bd helper added in helpers/common
    - internal: helpers: inherit curtin_verbosity (make the helper tools
      verbose if curtin invoked with verbose flags)
 -- Scott Moser <email address hidden> Mon, 27 Oct 2014 20:58:43 -0400

This bug is believed to be fixed in curtin in 17.1. If this is still a problem for you, please make a comment and set the state back to New

Thank you.