Skip to content

fix: ensure pkgrepo key files are world-readable regardless of umask#69706

Open
Mubashir78 wants to merge 1 commit into
saltstack:masterfrom
Mubashir78:fix/pkgrepo-key-permissions
Open

fix: ensure pkgrepo key files are world-readable regardless of umask#69706
Mubashir78 wants to merge 1 commit into
saltstack:masterfrom
Mubashir78:fix/pkgrepo-key-permissions

Conversation

@Mubashir78

Copy link
Copy Markdown

Fixes #66731

When pkgrepo.managed saves GPG key files via add_repo_key with aptkey=False, the destination file inherits permissions from the process umask. On hardened systems with umask 077, this produces mode 0o700 files that the _apt user cannot read, causing apt-get update to fail with NO_PUBKEY errors.

Changes:

  1. salt/modules/aptpkg.py: Added os.chmod(0o644) after shutil.copyfile in the key_url/path branch, and after the gpg command succeeds in the keyserver branch. This matches the pattern used elsewhere in the salt codebase (e.g., tls.py, cron.py, ssh.py).

  2. tests/pytests/unit/modules/test_aptpkg.py: Added two tests:

    • test_add_repo_key_key_url_sets_world_readable_permissions - verifies the key file from key_url gets 0o644
    • test_add_repo_key_keyserver_sets_world_readable_permissions - verifies chmod is called after gpg import

When pkgrepo.managed saves GPG key files via add_repo_key with
aptkey=False, the destination file inherits permissions from the
process umask. On hardened systems with umask 077, this produces
mode 0o700 files that the _apt user cannot read, causing apt-get
update to fail with NO_PUBKEY errors.

Add os.chmod(0o644) after shutil.copyfile for the key_url path
and after the gpg command for the keyserver path, matching the
pattern used elsewhere in the salt codebase (tls.py, cron.py).

Fixes saltstack#66731
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

test:full Run the full test suite

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] pkgrepo.managed saving keys in /usr/share/keyrings/ with too restrictive permissions on hardens systems.

2 participants