Page MenuHomeVyOS Platform

VyOS must not change permissions on files in /config/auth
Open, HighPublicBUG

Description

/config/auth is the location where sensitive private data is stored such as VPN private keys. I was very careful when setting up my keys inside /config/auth to ensure private keys were chowned and chmodded so that they were readable just by root, the vyattacfg group (necessary in order for the config scripts to verify correct key format) and not other-readable. I was very surprised today to find that during some process (possibly upgrading through 'add system image') all the files and directories in /config were changed to root:vyattacfg and mode 775. Not only is this very bad in terms of security as it exposes all keys in /auth to all users and processes on the system, it's also technically wrong as files shouldn't be executable unless they're executable programs or scripts. Files should be 660 or 664 at most.

It's very likely that either 'add system image' does a 'cp' without '-a', or something does a 'chown -R root:vyattacfg; chmod -R 775'.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

jjakob triaged this task as High priority.Jul 19 2020, 11:49 AM
jjakob created this task.
jjakob created this object in space S1 VyOS Public.
pasik added a subscriber: pasik.Jul 20 2020, 6:41 PM
syncer changed the subtype of this task from "Task" to "Bug".Sep 18 2020, 8:13 PM

I can confirm.
It happens after update procedure.

Before update

vyos@r4-roll:~$ ls -la  /config/auth/
total 12
drwxrwsr-x 2 root vyattacfg 4096 Oct 15 14:42 .
drwxrwsr-x 8 root vyattacfg 4096 Oct 15 14:41 ..
-rw------- 1 root vyattacfg  636 Oct 15 14:42 foo.key

After update

vyos@r4-roll:~$ sudo ls -la /config/auth/
total 12
drwxrwsr-x 2 root vyattacfg 4096 Oct 15 14:42 .
drwxrwxr-x 8 root vyattacfg 4096 Oct 15 15:00 ..
-rwxrwxr-x 1 root vyattacfg  636 Oct 15 14:42 foo.key