Flatcar icon indicating copy to clipboard operation
Flatcar copied to clipboard
verified publisher icon flatcar

cannot setuid and setgid files via ignition

Open bexelbie opened this issue 9 months ago • 8 comments

Description

This ignition file doesn't result in setuid and setgid permissions being set:

variant: flatcar
version: 1.1.0

passwd:
  users:
    - name: core
      ssh_authorized_keys:
        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC1N+xhi9y/rHURF3P0c6TiEGizwFnTBKH5GbQI46uyb
    - name: op
      ssh_authorized_keys:
        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC1N+xhi9y/rHURF3P0c6TiEGizwFnTBKH5GbQI46uyb

storage:
  files:
    - path: /opt/setuid-setgid-test/setuid+setgid
      mode: 06755 # Set UID and GID
      user:
        name: op
      group:
        name: op
      contents:
        source: https://github.com/bexelbie/op-secret-manager/releases/latest/download/op-secret-manager-linux-amd64
    - path: /opt/setuid-setgid-test/setgid
      mode: 02755
      user:
        name: op
      group:
        name: op
      contents:
        source: https://github.com/bexelbie/op-secret-manager/releases/latest/download/op-secret-manager-linux-amd64
    - path: /opt/setuid-setgid-test/setuid
      mode: 04755
      user:
        name: op
      group:
        name: op
      contents:
        source: https://github.com/bexelbie/op-secret-manager/releases/latest/download/op-secret-manager-linux-amd64
    - path: /opt/setuid-setgid-test/normal
      mode: 0755
      user:
        name: op
      group:
        name: op
      contents:
        source: https://github.com/bexelbie/op-secret-manager/releases/latest/download/op-secret-manager-linux-amd64

Impact

I need to be able to set permissions correctly :)

Environment and steps to reproduce

  1. Set-up:

Flatcar running on bare metal or azure using the above configuration

  1. Task: [ describe the task performing when encountering the bug ]

First boot

  1. Action(s): n/a

  2. Error: [describe the error that was triggered]

$ ls -l /opt/setuid-setgid-test/
total 97632
-rwxr-xr-x. 1 op op 24990551 Mar 16 16:49 normal
-rwxr-xr-x. 1 op op 24990551 Mar 16 16:49 setgid
-rwxr-xr-x. 1 op op 24990551 Mar 16 16:49 setuid
-rwxr-xr-x. 1 op op 24990551 Mar 16 16:49 setuid+setgid

Expected behavior

Files with the correct permissions

Additional information

Please add any information here that does not fit the above format.

bexelbie avatar Mar 16 '25 16:03 bexelbie

@tormath1 FYI

bexelbie avatar Mar 16 '25 16:03 bexelbie

Thanks @bexelbie for the repro. I can reproduce on FCOS as well, I just pinged folks on #coreos:fedoraproject.org Matrix channel

tormath1 avatar Mar 17 '25 13:03 tormath1

Thanks @bexelbie for the repro. I can reproduce on FCOS as well, I just pinged folks on #coreos:fedoraproject.org Matrix channel

@bexelbie do you think you could open this issue on coreos/ignition side: https://github.com/coreos/ignition/issues ? We discussed this on Matrix. Thanks!

tormath1 avatar Mar 19 '25 15:03 tormath1

@tormath1 I don't mind this being tracked in that repo, but I haven't reproduced with coreOS. Is that ok?

bexelbie avatar Mar 19 '25 16:03 bexelbie

@tormath1 I don't mind this being tracked in that repo, but I haven't reproduced with coreOS. Is that ok?

@bexelbie thanks! I did reproduce with FCOS:

core@localhost:~$ stat /opt/setuid-setgid-test/setuid+setgid
  File: /opt/setuid-setgid-test/setuid+setgid
  Size: 24990551  	Blocks: 48816      IO Block: 4096   regular file
Device: 252,4	Inode: 29360257    Links: 1
Access: (0755/-rwxr-xr-x)  Uid: ( 1001/      op)   Gid: ( 1001/      op)
Context: system_u:object_r:var_t:s0
Access: 2025-03-20 09:20:34.188000000 +0000
Modify: 2025-03-20 09:20:36.847000000 +0000
Change: 2025-03-20 09:20:43.430000000 +0000
 Birth: 2025-03-20 09:20:34.188000000 +0000
core@localhost:~$ cat /etc/os-release
NAME="Fedora Linux"
VERSION="41.20250302.3.2 (CoreOS)"
RELEASE_TYPE=stable
ID=fedora
VERSION_ID=41
VERSION_CODENAME=""
PLATFORM_ID="platform:f41"
PRETTY_NAME="Fedora CoreOS 41.20250302.3.2"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:41"
HOME_URL="https://getfedora.org/coreos/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora-coreos/"
SUPPORT_URL="https://github.com/coreos/fedora-coreos-tracker/"
BUG_REPORT_URL="https://github.com/coreos/fedora-coreos-tracker/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=41
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=41
SUPPORT_END=2025-12-15
VARIANT="CoreOS"
VARIANT_ID=coreos
OSTREE_VERSION='41.20250302.3.2'

using:

variant: fcos
version: 1.6.0

passwd:
  users:
    - name: core
      ssh_authorized_keys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPKIbw6kZVnn7mih7Av2wk+eNZNIag8yZkKT54vICh1tcUro/PtCin+xlyJeN5yrokF3n7UMIMcwPe+QGEaoAPImSGxstpXzSXSxFo9npmcsA3cbJQReiwjVU6NDRBbYGrCgYdPtshHOMN19J+vIbRPCBZtZZbguQTBO9gDn/5uhzikZ3b7J2VWy2cOtkfBP6AwVM+9ZmKwLaF6CWIEx23BLJjpLtkuNHOjtg0SuqAF1D+lEEf7Ld77zVDMst1waCz2HfSEIr+a7J1/VaBMvxqG8iHwnVV3JcxuYZpYy7lGLAVb9V1SHbAbV54rKdqS5Eetqk9Woo2ABdaCZB//bn9Qs0q5kjw6cUlGleqKZzEFtxMZr6fJIzcd8TGLX+QOBlSMfszCcsdo6/LG8X3ySvDE+vqGTlHPXpeaHJv9Z21rZTnXIB/toVo/6iMrJseBrb6FUkp3oIqSWVTivEoKprTM2cc1ft4mRsmHWLCo1yonX9WfA8etgp/bAiAb4fwpG2oE7E/Mf5y+hS0EH5M88LBfxJMpNkjTkaWxcYfHUQHJGVv//fN5r4JC4ZNVc/PyU5WqmHoTBtQeCZ1p8o7VEwOJCRDl+Np/ykrPB1AobnSsNeiuUD1uCPs3KjzggTt3AeNRXKX2q0N9/dfsFEBTmJFZuSfTcoGUSBEUadfWucIww== [email protected]
    - name: op
      ssh_authorized_keys:
        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC1N+xhi9y/rHURF3P0c6TiEGizwFnTBKH5GbQI46uyb

storage:
  files:
    - path: /opt/setuid-setgid-test/setuid+setgid
      mode: 06755 # Set UID and GID
      user:
        name: op
      group:
        name: op
      contents:
        source: https://github.com/bexelbie/op-secret-manager/releases/latest/download/op-secret-manager-linux-amd64
    - path: /opt/setuid-setgid-test/setgid
      mode: 02755
      user:
        name: op
      group:
        name: op
      contents:
        source: https://github.com/bexelbie/op-secret-manager/releases/latest/download/op-secret-manager-linux-amd64
    - path: /opt/setuid-setgid-test/setuid
      mode: 04755
      user:
        name: op
      group:
        name: op
      contents:
        source: https://github.com/bexelbie/op-secret-manager/releases/latest/download/op-secret-manager-linux-amd64
    - path: /opt/setuid-setgid-test/normal
      mode: 0755
      user:
        name: op
      group:
        name: op
      contents:
        source: https://github.com/bexelbie/op-secret-manager/releases/latest/download/op-secret-manager-linux-amd64

tormath1 avatar Mar 20 '25 09:03 tormath1

Just casually observing from the sideline (and also not on my computer), but most systems have issues resolving the numeric IDs.

Would it be possible to create the user/group with your own IDs and use those in your ignition?

I think the fcos variant supports gid and uid.

Better/More predictable for your security posture anyway.

till avatar Mar 20 '25 11:03 till

opened: https://github.com/coreos/ignition/issues/2042

bexelbie avatar Mar 25 '25 09:03 bexelbie

Thanks @bexelbie this has been fixed upstream. I'll wait for this to land into Flatcar before closing the issue. Thanks a lot for the report!

tormath1 avatar May 13 '25 14:05 tormath1

The fix has been pulled in the last Ignition update on Flatcar (v2.22.0) - it will be in next Alpha > 4426.0.0

tormath1 avatar Aug 20 '25 12:08 tormath1