[MODULES-7606] ssh_authorized_keys updating user => ... fails with Permission denied on previous user's .ssh/authorized_keys Created: 2014/09/11 Updated: 2018/08/21
|Reporter:||Tero Marttila||Assignee:||Branan Riley|
|Labels:||permissions, ssh, ssh_authorized_key, type_and_provider|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
Changing the user for an ssh_authorized_key resource:
Leads to a Permission Denied error writing to the ~/.ssh/authorized_keys file of the previous user:
The key for the new user is not written to ~foo/.ssh/authorized_keys, nor is the key removed from the old user's ~bar/.ssh/authorized_keys.
|Comment by Thomas Kishel [ 2017/04/03 ]|
This issue is the result of this PR:
"Drop privileges before creating and chmodding SSH keys. Previously, potentially abusable chown and chmod calls were performed as root. This tries to moves as much as possible into code which is run after privileges have been dropped. Huge thanks to Ricky Zhou <firstname.lastname@example.org> for discovering this and supplying the security fix. Awesome work. Fixes CVE-2011-3870."
The error occurs within the `super` call here:
In one user's case, the authorized_keys file was created but kept its root:root ownership due to another (permissions on /tmp) error:
Environment: OS: RHEL 7.3 / PE: 2016.4.x
|Comment by Scott McClellan [ 2018/08/21 ]|
Branan Riley to add some detail to what the desired behavior is and mark as Accepted.