Ubuntu
walinuxagent package

shadow file permissions broken

Bug #1188820 reported by Scott Moser
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
walinuxagent (Ubuntu)
Fix Released
High
Unassigned
Precise
Fix Released
Medium
Unassigned
Raring
Fix Released
Medium
Unassigned

Bug Description

[Impact]: WALinuxAgent, when provisioning, may delete the root password. However, in doing so, it changes the permissions of the shadow file from 0400 to 000.

[Regression]: This change simple sets the proper permission on /etc/shadow.

[Test Case]: Make sure that the permissions are 0400.

[Originial Report]:

inside an azure instance:

$ ls -altr /etc/shadow
---------- 1 root root 902 Jun 7 20:23 /etc/shadow

/usr/sbin/waagent has:
def DeleteRootPassword():
    filepath="/etc/shadow"
    ReplaceFileContentsAtomic(filepath, "root:*LOCK*:14600::::::\n" + "\n".join(filter(lambda a: not
        a.startswith("root:"),
        GetFileContents(filepath).split('\n'))))
    os.chmod(filepath, 0000)
    if IsRedHat():
        Run("chcon system_u:object_r:shadow_t:s0 " + filepath)
    Log("Root password deleted.")

more correct permissions on that file would be:
$ ls -altr /etc/shadow
-rw-r----- 1 root shadow 1497 May 29 16:51 /etc/shadow

ProblemType: Bug
DistroRelease: Ubuntu 13.04
Package: walinuxagent 1.3.2-0ubuntu1 [modified: usr/sbin/waagent]
ProcVersionSignature: Ubuntu 3.8.0-23.34-generic 3.8.11
Uname: Linux 3.8.0-23-generic x86_64
ApportVersion: 2.9.2-0ubuntu8
Architecture: amd64
Date: Fri Jun 7 20:32:03 2013
MarkForUpload: True
ProcEnviron:
 TERM=screen
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: walinuxagent
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
Scott Moser (smoser) wrote :
Serge Hallyn (serge-hallyn)
Changed in walinuxagent (Ubuntu):
importance: Undecided → High
Revision history for this message
Ben Howard (darkmuggle-deactivatedaccount) wrote :

This will be fixed in the 12.04 SRU for the cloud-init/udev rule fix. Since user-provisioning will not be done by WALinuxAgent, this gets mooted.

Changed in walinuxagent (Ubuntu):
assignee: nobody → Ben Howard (utlemming)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package walinuxagent - 1.3.2-0ubuntu4

---------------
walinuxagent (1.3.2-0ubuntu4) saucy; urgency=low

  * debian/patches/shadow_permissions.patch: apply the appropriate
    permissions to /etc/shadow (LP: #1188820).
  * debian/patches/verbose_logging.patch: use the appropriate log
    faculty when using verbose logging (LP: #1193404).
  * Mark bugs fixed in 1.3.2-0ubuntu3:
    debian/patches/config_for_cloud-init.patch:
    - fix for race condition between cloud-init and waagent (LP: #1195524)
    - mount resource disk on /mnt (LP: #1193380)
    - move walinuxagent init functionality to cloud-init (LP: #1037723)
 -- Ben Howard <email address hidden> Tue, 23 Jul 2013 09:43:40 -0600

Changed in walinuxagent (Ubuntu):
status: New → Fix Released
Ben Howard (darkmuggle-deactivatedaccount)
description: updated
Revision history for this message
Adam Conrad (adconrad) wrote : Please test proposed package

Hello Scott, or anyone else affected,

Accepted walinuxagent into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/walinuxagent/1.3.2-0ubuntu4~12.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Scott, or anyone else affected,

Accepted walinuxagent into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/walinuxagent/1.3.2-0ubuntu4~12.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Scott, or anyone else affected,

Accepted walinuxagent into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/walinuxagent/1.3.2-0ubuntu4~12.04.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Ben Howard (darkmuggle-deactivatedaccount) wrote :

Confirmed with -proposed packages that this is fixed. Marking verification-done.

tags: added: verification-done
Revision history for this message
Ben Howard (darkmuggle-deactivatedaccount) wrote :

Tested. Marking verification done.

Revision history for this message
Stéphane Graber (stgraber) wrote :

Hello Scott, or anyone else affected,

Accepted walinuxagent into raring-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/walinuxagent/1.3.2-0ubuntu2~13.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in walinuxagent (Ubuntu Raring):
status: New → Fix Committed
Ben Howard (darkmuggle-deactivatedaccount)
Changed in walinuxagent (Ubuntu Precise):
importance: Undecided → Medium
Changed in walinuxagent (Ubuntu Raring):
importance: Undecided → Medium
Changed in walinuxagent (Ubuntu Precise):
assignee: nobody → Ben Howard (utlemming)
Changed in walinuxagent (Ubuntu Raring):
assignee: nobody → Ben Howard (utlemming)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package walinuxagent - 1.3.2-0ubuntu2~13.04.1

---------------
walinuxagent (1.3.2-0ubuntu2~13.04.1) raring-proposed; urgency=low

  * Backport of 1.3.2-0ubuntu5 from 13.10
    * disable ephemeral disk formating by default (LP: #1231490)
    * debian/patches/shadow_permissions.patch: apply the appropriate
      permissions to /etc/shadow (LP: #1188820).
    * debian/patches/verbose_logging.patch: use the appropriate log
      faculty when using verbose logging (LP: #1193404).
    * Mark bugs fixed in 1.3.2-0ubuntu3:
      debian/patches/config_for_cloud-init.patch:
      - fix for race condition between cloud-init and waagent (LP: #1195524)
      - mount resource disk on /mnt (LP: #1193380)
      - move walinuxagent init functionality to cloud-init (LP: #1037723)
  * Add requirement of cloud-init (LP: #1037723).
 -- Ben Howard <email address hidden> Thu, 10 Oct 2013 09:24:46 -0600

Changed in walinuxagent (Ubuntu Raring):
status: Fix Committed → Fix Released
Ben Howard (darkmuggle-deactivatedaccount)
Changed in walinuxagent (Ubuntu Precise):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.