MAAS

"sudo maas-import-ephemerals" steps on ~/.gnupg/pubring.gpg

Bug #1250370 reported by Robie Basak
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Fix Released
High
Jeroen T. Vermeulen
MAAS 1.6.0
simplestreams
Confirmed
Low
Unassigned

Bug Description

Discovered on maas 1.4+bzr1693+dfsg-0ubuntu2.2 in packaging, but I presume this affects upstream more than we care about this in packaging.

Steps to reproduce:

1. rm -Rf ~/.gnupg

2. cat > gen-key <<EOT
Key-Type: RSA
Key-Length: 1024
Name-Real: Test User
Name-Email: <email address hidden>
EOT

3. gpg --gen-key --batch gen-key

4. Create a simplestreams source in ~/streams. I presume this bug will reproduce without this though this is what I'm doing.

5. Observe that "ls -l ~/.gnupg" produces something like:

total 28
-rw------- 1 ubuntu ubuntu 9398 Nov 12 04:38 gpg.conf
-rw------- 1 ubuntu ubuntu 363 Nov 12 04:38 pubring.gpg
-rw------- 1 ubuntu ubuntu 0 Nov 12 04:38 pubring.gpg~
-rw------- 1 ubuntu ubuntu 600 Nov 12 04:38 random_seed
-rw------- 1 ubuntu ubuntu 695 Nov 12 04:38 secring.gpg
-rw------- 1 ubuntu ubuntu 1240 Nov 12 04:38 trustdb.gpg

6. Run "sudo maas-import-ephemerals --url file:///home/ubuntu" (or presumably this will work without using a local source so without the --url parameter).

Expected results: the same contents in ~/.gnupg.

Actual results:

"ls -l ~/.gnupg" now gives me:

total 32
-rw------- 1 ubuntu ubuntu 9398 Nov 12 04:38 gpg.conf
-rw------- 1 root root 363 Nov 12 04:39 pubring.gpg
-rw------- 1 ubuntu ubuntu 363 Nov 12 04:38 pubring.gpg~
-rw------- 1 ubuntu ubuntu 600 Nov 12 04:38 random_seed
-rw------- 1 ubuntu ubuntu 695 Nov 12 04:38 secring.gpg
-rw------- 1 ubuntu ubuntu 1280 Nov 12 04:39 trustdb.gpg

Why has root taken over my pubring.gpg? This stops future gpg calls as the normal user from working.

I accept that running "sudo" doesn't reset HOME, so one might expect it to hit the normal user's stuff for some tasks. But running "sudo maas-import-ephemerals" is a common enough case that I don't think it's reasonable for it to make my ~/.gnupg unusable. By all means use (and please verify against) my ~/.gnupg, but please do not modify it.

Tags: m-i-p-f

Related branches

lp:~jtv/maas/gnupg-home-in-upgrade
Graham Binns (community): Approve
Diff: 101 lines (+53/-1)
2 files modified
src/provisioningserver/tests/test_upgrade_cluster.py (+43/-1)
src/provisioningserver/upgrade_cluster.py (+10/-0)
lp:~smoser/simplestreams/trunk
lp:ubuntu/xenial/simplestreams
Revision history for this message
Julian Edwards (julian-edwards) wrote :

Urgh, nasty. Ideally, this script should be dropping root privs for everything it doesn't need anyway.

Changed in maas:
status: New → Triaged
importance: Undecided → Critical
milestone: none → 14.04
tags: added: m-i-p-f
Revision history for this message
Julian Edwards (julian-edwards) wrote :

I've targeted simplestreams because I just stepped through the code in the debugger and identified the exact part of the code that rewrites the file.

In simplestreams.util.read_signed(), which gets called to verify the signature of the json index file, it invokes a subprocess:

['gpg', '--batch', '--verify', u'--keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg', '-']

which after it returns, the pubring has been rewritten.

Julian Edwards (julian-edwards)
Changed in maas:
importance: Critical → High
Revision history for this message
Julian Edwards (julian-edwards) wrote :

We don't have this script any more, but the new one still runs as root and uses the simplestreams library, so I don't expect any different behaviour.

Changed in maas:
milestone: 14.04 → 14.10
Julian Edwards (julian-edwards)
Changed in maas:
assignee: nobody → Jeroen T. Vermeulen (jtv)
status: Triaged → Fix Committed
Revision history for this message
Jeroen T. Vermeulen (jtv) wrote :

Update: normal use no longer requires the script to run stand-alone. Normal runs triggered from the UI, or the automatic weekly runs, will keep their own GPG state in /var/lib/maas. The maas user owns that state, and the script runs as ‘maas’ not ‘root.’

The stand-alone script can still be used for failure feedback, and we're planning to address this need in a better way.

Julian Edwards (julian-edwards)
Changed in maas:
status: Fix Committed → Fix Released
Revision history for this message
Scott Moser (smoser) wrote :

marked as low.
I wasnt able to reproduce this using sstream-query, though i thought i would have been able to.
basically expected that:
 sudo PYTHONPATH=$PWD ./bin/sstream-query -vvv --keyring /usr/share/keyrings/ubuntu-cloudimage-keyring.gp http://maas.ubuntu.com/images/ephemeral-v2/daily/streams/v1/com.ubuntu.maas:daily:v2:download.sjson

would have done the change, but it did not.

I did reproduce another issue:
$ cat > gen-key <<EOT
Key-Type: RSA
Key-Length: 1024
Name-Real: Test User
Name-Email: <email address hidden>
EOT
$ rm -Rf ~/.gnupg; gpg --gen-key --batch gen-key
$ sstream-query -vvv --keyring /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg --max=1 http://maas.ubuntu.com/images/ephemeral-v2/daily/streams/v1/com.ubuntu.maas:daily:v2:download.sjson release=trusty arch=ppc64
failed: gpg --batch --verify --no-default-keyring --keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg -
 out=
 err=gpg: WARNING: unsafe ownership on configuration file `/home/ubuntu/.gnupg/gpg.conf'
gpg: Signature made Thu 29 Oct 2015 12:15:36 PM UTC using RSA key ID 476CF100
gpg: checking the trustdb
gpg: public key of ultimately trusted key 795D06FA not found
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Good signature from "Ubuntu Cloud Image Builder (Canonical Internal Cloud Image Builder) <email address hidden>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4A3C E3CD 565D 7EB5 C810 E2B9 7FF3 F408 476C F100

Traceback (most recent call last):
  File "/usr/bin/sstream-query", line 136, in <module>
    main()
  File "/usr/bin/sstream-query", line 129, in main
    tmirror.sync(smirror, path)
  File "/usr/lib/python3/dist-packages/simplestreams/mirrors/__init__.py", line 83, in sync
    content, payload = reader.read_json(path)
  File "/usr/lib/python3/dist-packages/simplestreams/mirrors/__init__.py", line 41, in read_json
    return raw, self.policy(content=raw, path=path)
  File "/usr/bin/sstream-query", line 116, in policy
    checked=cmdargs.verify)
  File "/usr/lib/python3/dist-packages/simplestreams/util.py", line 267, in read_signed
    raise e
  File "/usr/lib/python3/dist-packages/simplestreams/util.py", line 263, in read_signed
    subp(cmd, data=content)
  File "/usr/lib/python3/dist-packages/simplestreams/util.py", line 435, in subp
    raise subprocess.CalledProcessError(rc, args, output=(out, err))
subprocess.CalledProcessError: Command '['gpg', '--batch', '--verify', '--no-default-keyring', '--keyring=/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg', '-']' returned non-zero exit status 2

Changed in simplestreams:
importance: Undecided → Low
status: New → Confirmed
Revision history for this message
Scott Moser (smoser) wrote :

fixed in revno 404 if you have gpgv, simplestreams will use that in leui of gpg

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.