sshkey creates /etc/ssh/ssh_known_hosts with mode 600
|Affected Puppet version:||0.24.7||Branch:|
Using the sshkey type /etc/ssh/ssh_known_hosts is created with mode 600 by default. This seems undesirable in most situations. I think the default should be 644. I didn’t see anything obvious in the sshkey code that set it strictly on purpose. Does puppet default to 600 somewhere? And is there a simple way to tweak a type to use a different mode? This seems like a similar issue to #1538. Of course, it’s not an inifile, so the fix will be different.
#3 Updated by Luke Kanies almost 5 years ago
- Target version changed from 0.24.8 to 2.6.0
While I agree that this is a bug, it’s not a new bug (just one it took a long time for someone to complain about), so I don’t think it’s worth holding 0.24.8 for. And it’s a relatively difficult bug to fix, because the code for writing the file is so far from the code that decides what gets written. Certainly complicated enough that I don’t want its fix going into the hopefully-entirely-stable 0.24.8 release.
#4 Updated by Todd Zullinger almost 5 years ago
Holding off sounds like a good plan. I think a number of the parsed provider resources could benefit from a clean fix in this area, rather than adding special cases for each instance. :)
If it’s possible when refactoring things, something that might be quite useful is to have a mode param for these resources, so that users who don’t agree with the defaults can change them easily without adding a mostly redundant file resource. For some of the types (yumrepo and ssh keys come to mind), the name/path of the file isn’t always straightforward to determine, so adding a file resource to modify the mode can often be more work than it needs to be.
#6 Updated by Rob Madole almost 4 years ago
On a Gentoo box, not only did it create the file with 600 but the owner was root while I needed it to be “robmadole”. Sure, easy enough to fix with the file resource, but I like the way that ssh_authorized_keys works. You specify a user and just as I expected, file ownership and permissions were setup properly.