[BUG] pkgrepo.managed saving keys in /usr/share/keyrings/ with too restrictive permissions on hardens systems. #66731
Description
Description
When adding a repo using pkgrepo.managed the keys are being saved /usr/share/keyrings/ with too restrictive permissions on systems harden with a default UMASK of 077.
Setup
(Please provide relevant configs and/or SLS files (be sure to remove sensitive info. There is no general set-up of Salt.)
Please be as specific as possible and give set-up details.
- [ X ] on-prem machine
- [ X ] VM (VMWare)
- VM running on a cloud service, please be explicit and add details
- container (Kubernetes, Docker, containerd, etc. please specify)
- or a combination, please be explicit
- jails if it is FreeBSD
- classic packaging
- [ X ] onedir packaging
- used bootstrap to install
Steps to Reproduce the behavior
I'm using the Microsoft Defender repo in my examples below, but it happens with all repo's we add.
Hardened environment by adding the following in /etc/login.defs.
UMASK 077
Unclear if a restart of the salt-minion and/or reboot of the system is required to take effect.
Execute a state file containing the following...
install_mdatp_repo:
pkgrepo.managed:
- aptkey: False
- humanname: Microsoft Defender Repository
- name: deb [arch=amd64,armhf,arm64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/{{ grains['os'] | lower }}/{{ grains['lsb_distrib_release'] }}/prod {{ grains['oscodename'] | lower }} main
- dist: {{ grains['oscodename'] | lower }}
- file: /etc/apt/sources.list.d/microsoft-prod.list
- key_url: https://packages.microsoft.com/keys/microsoft.asc
- refresh: true
- refresh_db: true
This results in (among other things) two files being generated...
# ll /etc/apt/sources.list.d/microsoft-prod.list
-rw------- 1 root root 133 Jul 19 14:55 /etc/apt/sources.list.d/microsoft-prod.list
# # ll /usr/share/keyrings/microsoft.gpg
-rw------- 1 root root 641 Jul 19 14:55 microsoft.gpg
The restrictive permissions on /etc/apt/sources.list.d/microsoft-prod.list don't seem to cause any problems. I've been unable to find any recommended permissions for source files.
However, the restrictive permissions on /usr/share/keyrings/microsoft.gpg causes apt-get update to fail with the error...
Err:X https://packages.microsoft.com/ubuntu/22.04/prod jammy InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EB3E94ADBE1229CF
https://manpages.ubuntu.com/manpages/noble/en/man5/sources.list.5.html states that ...
keyring files have to be accessible and readable for the _apt system user, so ensure everyone has read-permissions on the file
Once I manually grant read access to the key for all users (chmod a+r /usr/share/keyrings/microsoft.gpg) I'm able at apt-get update without any errors,
# ll /usr/share/keyrings/microsoft.gpg
-rw-r--r-- 1 root root 641 Jul 19 14:55 /usr/share/keyrings/microsoft.gpg
Expected behaviour
Create key files with readable by all permissions.
# ll /usr/share/keyrings/microsoft.gpg
-rw-r--r-- 1 root root 641 Jul 19 14:55 /usr/share/keyrings/microsoft.gpg
Versions Report
salt --versions-report
Salt Version:
Salt: 3007.1
Python Version:
Python: 3.10.14 (main, Apr 3 2024, 21:30:09) [GCC 11.2.0]
Dependency Versions:
cffi: 1.16.0
cherrypy: 18.8.0
dateutil: 2.8.2
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
Jinja2: 3.1.4
libgit2: Not Installed
looseversion: 1.3.0
M2Crypto: Not Installed
Mako: Not Installed
msgpack: 1.0.7
msgpack-pure: Not Installed
mysql-python: Not Installed
packaging: 23.1
pycparser: 2.21
pycrypto: Not Installed
pycryptodome: 3.19.1
pygit2: Not Installed
python-gnupg: 0.5.2
PyYAML: 6.0.1
PyZMQ: 25.1.2
relenv: 0.16.0
smmap: Not Installed
timelib: 0.3.0
Tornado: 6.3.3
ZMQ: 4.3.4
Salt Package Information:
Package Type: onedir
System Versions:
dist: ubuntu 22.04.4 jammy
locale: utf-8
machine: x86_64
release: 5.15.0-116-generic
system: Linux
version: Ubuntu 22.04.4 jammy