Page MenuHomeVyOS Platform
Create Task
Maniphest T5521

Home owner directory changed to vyos for the user after reboot
Closed, ResolvedPublicBUG
Actions

Description

Home owner directory changed to vyos for the user after reboot.

set system login user foo authentication encrypted-password '$6$rounds=656000$J4tyWgIuk9b2x42.$w5Jwizza0dvVa3xOXUIsw60HK5RF3nnfxotE0/9ZRIpXECVtWt3ssI9o0UMoYLt8zKh3jFgro818y5V1Bm0Pr/'

Before and after reboot

vyos@r14:~$ ls -la /home/foo
total 28
drwxr-xr-x 3 foo  users 4096 Aug 28 14:31 .
drwxr-xr-x 1 root root  4096 Aug 28 14:30 ..
-rw------- 1 foo  users   51 Aug 28 14:31 .bash_history
-rw-r--r-- 1 foo  users  220 Apr 24 00:23 .bash_logout
-rw-r--r-- 1 foo  users 4072 Jan 11  2021 .bashrc
-rw-r--r-- 1 foo  users  675 Jan 11  2021 .profile
drwxr-xr-x 2 foo  users 4096 Aug 28 14:30 .ssh
vyos@r14:~$ 

reboot

vyos@r14:~$ ls -la /home/foo
total 28
drwxr-xr-x 3 vyos users 4096 Aug 28 14:31 .
drwxr-xr-x 1 root root  4096 Aug 28 14:30 ..
-rw------- 1 vyos users   51 Aug 28 14:31 .bash_history
-rw-r--r-- 1 vyos users  220 Apr 24 00:23 .bash_logout
-rw-r--r-- 1 vyos users 4072 Jan 11  2021 .bashrc
-rw-r--r-- 1 vyos users  675 Jan 11  2021 .profile
drwxr-xr-x 2 vyos users 4096 Aug 28 14:30 .ssh
vyos@r14:~$

Most likely after TACACS+ implementation https://github.com/vyos/vyos-1x/commit/3ec727670de02cac06321719a0323650046d54a1

It also affects key-based authentication (for user vyos).

Aug 28 14:48:53 r14 sshd[3157]: Authentication refused: bad ownership or modes for directory /home/vyos/.ssh
Aug 28 14:48:53 r14 sshd[3157]: Authentication refused: bad ownership or modes for directory /home/vyos/.ssh

The thing is there expected vyos but we get foo owner for /home/vyos directory.

vyos@r14:~$ ls -la /home/vyos
total 84
drwxr-xr-x 3 foo  users      4096 Aug 28 14:30 .
drwxr-xr-x 1 root root       4096 Aug 28 14:30 ..
-rw------- 1 foo  users     51993 Aug 28 14:31 .bash_history
-rw-r--r-- 1 foo  users       220 Apr 24 00:23 .bash_logout
-rw-r--r-- 1 foo  users      4072 Jan 11  2021 .bashrc
-rw------- 1 foo  vyattacfg    55 Aug 28 13:10 .history_frr
-rw------- 1 foo  vyattacfg    20 Aug 28 14:30 .lesshst
-rw-r--r-- 1 foo  users       675 Jan 11  2021 .profile
drwxr-xr-x 2 foo  users      4096 Aug 28 11:11 .ssh
-rw-r--r-- 1 foo  users         0 Aug 28 11:12 .sudo_as_admin_successful
vyos@r14:~$

Details

Difficulty level
Easy (less than an hour)
Version
VyOS 1.4-rolling-202308280021
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Viacheslav created this task.Aug 28 2023, 11:38 AM
Viacheslav updated the task description. (Show Details)Aug 28 2023, 11:50 AM
Viacheslav updated the task description. (Show Details)
pasik added a subscriber: pasik.Aug 28 2023, 12:19 PM
c-po changed the task status from Open to In progress.Aug 28 2023, 5:57 PM
c-po claimed this task.
c-po added a comment.Sep 5 2023, 7:21 PM

Please re-test with latest rolling-release if the issue persists.

c-po changed the task status from In progress to Needs testing.Sep 5 2023, 7:22 PM
Viacheslav added a comment.Sep 5 2023, 9:12 PM
In T5521#158836, @c-po wrote:

Please re-test with latest rolling-release if the issue persists.

Still have bugs
Delete user foo and reboot the router

vyos@r14:~$ ls -la /home/vyos/
total 32
drwxr-xr-x 3 1003 users     4096 Sep  6 00:06 .
drwxr-xr-x 1 root root      4096 Sep  6 00:05 ..
-rw------- 1 1003 users      375 Sep  6 00:06 .bash_history
-rw-r--r-- 1 1003 users      220 Apr 24 00:23 .bash_logout
-rw-r--r-- 1 1003 users     4072 Jan 11  2021 .bashrc
-rw------- 1 1003 vyattacfg   20 Sep  6 00:06 .lesshst
-rw-r--r-- 1 1003 users      675 Jan 11  2021 .profile
drwxr-xr-x 2 1003 users     4096 Sep  6 00:05 .ssh
-rw-r--r-- 1 1003 users        0 Sep  6 00:05 .sudo_as_admin_successful
vyos@r14:~$

SSH Key auth also affected

Sep 06 00:10:23 r14 sshd[4555]: Authentication refused: bad ownership or modes for directory /home/vyos/.ssh
Sep 06 00:10:23 r14 sshd[4555]: Authentication refused: bad ownership or modes for directory /home/vyos/.ssh

Version

vyos@r14:~$ show ver
Version:          VyOS 1.4-rolling-202309050021
Release train:    current

Built by:         [email protected]
Built on:         Tue 05 Sep 2023 01:32 UTC
Build UUID:       4a100ba1-73b7-4de8-9362-83d06fdfc36a
Build commit ID:  f909a712d635d4
c-po changed the task status from Needs testing to In progress.Oct 2 2023, 8:04 PM
c-po triaged this task as High priority.Oct 3 2023, 3:58 PM
c-po added a project: VyOS 1.5 Circinus.
c-po changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
c-po moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.
c-po moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.

PR for VyOS 1.4 https://github.com/vyos/vyos-1x/pull/2334

c-po closed this task as Resolved.Oct 3 2023, 4:00 PM
xrobau added a subscriber: xrobau.Oct 4 2023, 12:10 AM

Not sure if this should be re-opened, or, a new ticket should be created. It appears that this function is the only thing that creates etc passwd (etc), and it's only ever called once.

If boot_configuration_complete() returns false, the user settings aren't applied, and then it's never called again to actually REALLY create them.

I spun this up on a vm, and you can see that /etc was never fully propagated

root@65cl-core-a:/usr/lib/live/mount/persistence/boot/1.4-2023-10-03/rw/etc# ls
apt         default   hosts          ipvsadm.rules  localtime    motd                  rc0.d        rsyslog.d  ssl               timezone
cni         frr       iproute2       issue          logrotate.d  nsswitch.conf         rc6.d        snmp       swanctl
commit      fstab     ipsec.conf     issue.net      machine-id   pam.d                 rcS.d        ssh        tacplus_nss.conf
containers  hostname  ipsec.secrets  locale.gen     modprobe.d   pam_radius_auth.conf  resolv.conf  sshguard   tacplus_servers
root@65cl-core-a:/usr/lib/live/mount/persistence/boot/1.4-2023-10-03/rw/etc#

Comparing that to an older image that I happened to have lying around, the auth files are missing

root@65cl-core-a:/usr/lib/live/mount/persistence/boot/1.4-2023-07-12/rw/etc# ls
apt         group     hosts          issue        machine-id     pam_radius_auth.conf  rcS.d        snmp      subgid-           tacplus_servers
commit      group-    iproute2       issue.net    modprobe.d     passwd                resolv.conf  ssh       subuid            timezone
containers  gshadow   ipsec.conf     locale.gen   motd           passwd-               rsyslog.d    sshguard  subuid-
default     gshadow-  ipsec.secrets  localtime    nsswitch.conf  rc0.d                 shadow       ssl       swanctl
fstab       hostname  ipvsadm.rules  logrotate.d  pam.d          rc6.d                 shadow-      subgid    tacplus_nss.conf
root@65cl-core-a:/usr/lib/live/mount/persistence/boot/1.4-2023-07-12/rw/etc#
xrobau added a comment.Oct 4 2023, 1:10 AM

Out of curiosity, shouldn't this just be moved to the end of the startup scripts?

https://github.com/vyos/vyos-1x/blob/e258edd76090f370ff0c0f88382d099d814d85f1/src/init/vyos-router#L352

xrobau added a comment.Oct 4 2023, 3:28 AM

Just to confirm, changing the if line does solve the issue, and I am able to log in.

https://github.com/xrobau/vyos-autobuild/blob/master/80-fix_system_login.chroot

c-po reopened this task as In progress.Oct 4 2023, 12:11 PM
c-po closed this task as Resolved.Oct 18 2023, 5:22 AM