Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-4047

Debian package sets wrong permissions on /var/lib/hudson/.ssh

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • other
    • None
    • Platform: All, OS: Linux

      The hudson debian package (from deb http://hudson.gotdns.com/debian binary/)
      sets the permissions 770 to /var/lib/hudson. This makes any private ssh keys
      unusable because they need permissions like 700 or even less.

          [JENKINS-4047] Debian package sets wrong permissions on /var/lib/hudson/.ssh

          Chris lutje Spelberg created issue -

          Code changed in hudson
          User: : kohsuke
          Path:
          trunk/www/changelog.html
          http://fisheye4.cenqua.com/changelog/hudson/?cs=19872
          Log:
          [FIXED JENKINS-4047] Fixed the permission to 750. I believe go-w is all ssh needs for ancestor directoreis.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/www/changelog.html http://fisheye4.cenqua.com/changelog/hudson/?cs=19872 Log: [FIXED JENKINS-4047] Fixed the permission to 750. I believe go-w is all ssh needs for ancestor directoreis.
          SCM/JIRA link daemon made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]

          Code changed in hudson
          User: : kohsuke
          Path:
          trunk/hudson/main/debian/hudson.postinst
          http://fisheye4.cenqua.com/changelog/hudson/?cs=19882
          Log:
          JENKINS-4047 forgot to commit the actual change

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/hudson/main/debian/hudson.postinst http://fisheye4.cenqua.com/changelog/hudson/?cs=19882 Log: JENKINS-4047 forgot to commit the actual change

          Unfortunately, 0750 is considered a too-open set of permissions (at least under
          Ubuntu 9.04).

          Here's what SSH man page explains:
          [...] ~/.ssh/identity ~/.ssh/id_dsa ~/.ssh/id_rsa
          Contains the private key for authentication. These files contain sensitive data
          and should be readable by the user but not accessible by others
          (read/write/execute). ssh will simply ignore a private key file if it is
          accessible by others. [...]

          Here's a job output after upgrading Hudson to 1.323 (and former ones):
          [...] A SCM change trigger started this job
          cvs -q -z3 update -PdC -D "Monday, September 7, 2009 11:01:09 AM UTC"
          @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
          @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
          @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
          Permissions 0750 for '/var/lib/hudson/.ssh/id_rsa' are too open.
          It is recommended that your private key files are NOT accessible by others.
          This private key will be ignored.
          bad permissions: ignore key: /var/lib/hudson/.ssh/id_rsa
          Permission denied, please try again.
          Permission denied, please try again.
          Permission denied (publickey,gssapi-with-mic,password).
          cvs [update aborted]: end of file from server (consult above messages if any)
          FATAL: CVS failed. exit code=1
          Sending e-mails to: john@doe.com
          Finished: FAILURE

          Could you please use 0700 instead of 0750?
          Regards,
          Regis

          Régis Desgroppes added a comment - Unfortunately, 0750 is considered a too-open set of permissions (at least under Ubuntu 9.04). Here's what SSH man page explains: [...] ~/.ssh/identity ~/.ssh/id_dsa ~/.ssh/id_rsa Contains the private key for authentication. These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute). ssh will simply ignore a private key file if it is accessible by others. [...] Here's a job output after upgrading Hudson to 1.323 (and former ones): [...] A SCM change trigger started this job cvs -q -z3 update -PdC -D "Monday, September 7, 2009 11:01:09 AM UTC" @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0750 for '/var/lib/hudson/.ssh/id_rsa' are too open. It is recommended that your private key files are NOT accessible by others. This private key will be ignored. bad permissions: ignore key: /var/lib/hudson/.ssh/id_rsa Permission denied, please try again. Permission denied, please try again. Permission denied (publickey,gssapi-with-mic,password). cvs [update aborted] : end of file from server (consult above messages if any) FATAL: CVS failed. exit code=1 Sending e-mails to: john@doe.com Finished: FAILURE Could you please use 0700 instead of 0750? Regards, Regis
          Régis Desgroppes made changes -
          Resolution Original: Fixed [ 1 ]
          Status Original: Resolved [ 5 ] New: Reopened [ 4 ]

          Tip for Debian-like GNU/Linux:

          Execute:
          sudo chmod -R 700 /var/lib/hudson/.ssh
          ... each time and just after hudson package is upgraded.

          Or configure ssh so that it doesn't complain if

          Régis

          Régis Desgroppes added a comment - Tip for Debian-like GNU/Linux: Execute: sudo chmod -R 700 /var/lib/hudson/.ssh ... each time and just after hudson package is upgraded. Or configure ssh so that it doesn't complain if Régis

          I propose to change the 'chmod 750' in the .deb to something more reasonable, to
          only chmod the installed files.

          Please do make a difference between files and folders, I would propose to use:

          chmod 750 /var/lib/hudson
          chmod -R u+rwX /var/lib/hudson/*
          chmod -R g+rX /var/lib/hudson/*

          (wow that looks cryptic..)

          Chris lutje Spelberg added a comment - I propose to change the 'chmod 750' in the .deb to something more reasonable, to only chmod the installed files. Please do make a difference between files and folders, I would propose to use: chmod 750 /var/lib/hudson chmod -R u+rwX /var/lib/hudson/* chmod -R g+rX /var/lib/hudson/* (wow that looks cryptic..)

          About the postinst script:
          8< --------------------

          1. Fix permissions on runtime directories/files.
            chown -R hudson:adm /var/run/hudson /var/lib/hudson /var/log/hudson
            chmod -R 750 /var/run/hudson /var/lib/hudson
            chmod 750 /var/log/hudson
                                                • >8
                                                  1. Changing owner to hudson:adm doesn't work for symlinked stuff (for example
                                                  jobs may be stored on a separate volume for backups).
                                                  Therefore, the command should be:
                                                  chown -R -L hudson:adm /var/run/hudson /var/lib/hudson /var/log/hudson
                                                  (-L: traverse every symbolic link to a directory encountered)
                                                  That said, what's the reason why group of hudson files changes at upgrade time
                                                  (nogroup -> adm)? If one needs to alter hudson working area, she can sudo the
                                                  desired command. Or maybe I miss something.

          2. Changing file mode bits recursively starting at /var/lib/hudson is too much
          because one may add custom stuff... such as OpenSSH keys.
          As said, under Debian-based GNU/Linux, OpenSSH client default configuration of
          is to "simply ignore a private key file if it is accessible by others".
          So ideal mode bits for /var/lib/hudson/.ssh/id* are 0600 (0700 makes no sense as
          such, but it's OK if that simplifies the postinst script).
          So they are several ways to address this:

          • leave .ssh untouched, for example:
            find /var/lib/hudson/ | grep -v /var/lib/hudson/.ssh | xargs -n1 chmod 750
          • re-fix .ssh permissions in a second pass:
            chmod -R 750 /var/run/hudson /var/lib/hudson
            ...
            chmod -R 700 /var/lib/hudson/.ssh

          What has to be kept in mind is that identity files must not be world-readable,
          nor even group-readable: only user-readable.

          Régis
          Régis

          Régis Desgroppes added a comment - About the postinst script: 8< -------------------- Fix permissions on runtime directories/files. chown -R hudson:adm /var/run/hudson /var/lib/hudson /var/log/hudson chmod -R 750 /var/run/hudson /var/lib/hudson chmod 750 /var/log/hudson >8 1. Changing owner to hudson:adm doesn't work for symlinked stuff (for example jobs may be stored on a separate volume for backups). Therefore, the command should be: chown -R -L hudson:adm /var/run/hudson /var/lib/hudson /var/log/hudson (-L: traverse every symbolic link to a directory encountered) That said, what's the reason why group of hudson files changes at upgrade time (nogroup -> adm)? If one needs to alter hudson working area, she can sudo the desired command. Or maybe I miss something. 2. Changing file mode bits recursively starting at /var/lib/hudson is too much because one may add custom stuff... such as OpenSSH keys. As said, under Debian-based GNU/Linux, OpenSSH client default configuration of is to "simply ignore a private key file if it is accessible by others". So ideal mode bits for /var/lib/hudson/.ssh/id* are 0600 (0700 makes no sense as such, but it's OK if that simplifies the postinst script). So they are several ways to address this: leave .ssh untouched, for example: find /var/lib/hudson/ | grep -v /var/lib/hudson/.ssh | xargs -n1 chmod 750 re-fix .ssh permissions in a second pass: chmod -R 750 /var/run/hudson /var/lib/hudson ... chmod -R 700 /var/lib/hudson/.ssh What has to be kept in mind is that identity files must not be world-readable, nor even group-readable: only user-readable. Régis Régis

          uncletall added a comment -

          It seems like a simple fix.
          I was suprised to see all my builds fail while I previously fixed the .ssh issue
          manually. Then I figured it must be after I upgraded husdon during a general
          system upgrade (apt-get upgrade).

          I think I would prefer the hudson upgrade not to change any of the permissions
          after the initial install. To be more tranparent I would suggest setting
          permissions during the first install and leaving them alone during upgrades.

          uncletall added a comment - It seems like a simple fix. I was suprised to see all my builds fail while I previously fixed the .ssh issue manually. Then I figured it must be after I upgraded husdon during a general system upgrade (apt-get upgrade). I think I would prefer the hudson upgrade not to change any of the permissions after the initial install. To be more tranparent I would suggest setting permissions during the first install and leaving them alone during upgrades.

            Unassigned Unassigned
            chrisspelberg Chris lutje Spelberg
            Votes:
            3 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: