fix: ensure pkgrepo key files are world-readable regardless of umask#69706
Open
Mubashir78 wants to merge 1 commit into
Open
fix: ensure pkgrepo key files are world-readable regardless of umask#69706Mubashir78 wants to merge 1 commit into
Mubashir78 wants to merge 1 commit into
Conversation
When pkgrepo.managed saves GPG key files via add_repo_key with aptkey=False, the destination file inherits permissions from the process umask. On hardened systems with umask 077, this produces mode 0o700 files that the _apt user cannot read, causing apt-get update to fail with NO_PUBKEY errors. Add os.chmod(0o644) after shutil.copyfile for the key_url path and after the gpg command for the keyserver path, matching the pattern used elsewhere in the salt codebase (tls.py, cron.py). Fixes saltstack#66731
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #66731
When
pkgrepo.managedsaves GPG key files viaadd_repo_keywithaptkey=False, the destination file inherits permissions from the process umask. On hardened systems with umask 077, this produces mode 0o700 files that the_aptuser cannot read, causingapt-get updateto fail withNO_PUBKEYerrors.Changes:
salt/modules/aptpkg.py: Addedos.chmod(0o644)aftershutil.copyfilein thekey_url/pathbranch, and after the gpg command succeeds in thekeyserverbranch. This matches the pattern used elsewhere in the salt codebase (e.g.,tls.py,cron.py,ssh.py).tests/pytests/unit/modules/test_aptpkg.py: Added two tests:test_add_repo_key_key_url_sets_world_readable_permissions- verifies the key file fromkey_urlgets 0o644test_add_repo_key_keyserver_sets_world_readable_permissions- verifies chmod is called after gpg import