cloud-init

network v2: do not render world-readable netplan when wifi or auth config contains sensitive passwords

Bug #1981646 reported by Chad Smith on 2022-07-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Netplan	Triaged	Wishlist	Unassigned
	cloud-init	Fix Released	Low	Unassigned

Bug Description

https://netplan.io/reference/ supports wifi password and auto client-key-password keys which should generally not be world-readable.

But, when rendering passthrough V2 network configuration, cloud-init emits a single /etc/netplan/50-cloud-init.yaml file that is world readable.

If network v2 config contains sensitive password keys it may make sense for cloud-init to either:

1. Make /etc/netplan/50-cloud-init.yaml only root-readable
- OR -
2. Write a world-readable /etc/netplan/50-cloud-init.yaml containing all keys except wifis and auth and a root-readable /etc/netplan/50-cloud-init-sensitive.yaml which would contain any security sensitive config content.

Tags:

James Falcon (falcojr) on 2022-07-14

Changed in cloud-init:
status:	New → Triaged

Revision history for this message

Chad Smith (chad.smith) wrote on 2022-07-19 (last edit on 2022-07-19):

Alternative solution to this could be if netplan.io grows a new root-only directory option that defines a schema for storing sensitive information like credentials. Not sure if this is something netplan.io would plan to grow or not. Tagging netplan.io on this bug as an FYI `wishlist` in case future feature work goes this direction.

The features that may be nice from netplan frm a usability standpoint:
1. documented policy that suggests chmod 600 on any netplan YAML
2. Instrumented policy in `netplan generate` or `netplan apply` that warns about world-readable files consumed which happen to contain security-related keys.
3. Ideally, sensitive YAML content root-only files wouldn't live in with world-readable content in /etc/netplan/* files. Possibly define a sensitive/security/credentials subdirectory/schema that could contain the security bits.

This is probably not the bug to file against netplan.io as it contains multiple feature request, but I wanted to track the sentiment in case that effort is becomes something desireable for netplan (and thereby affecting how cloud-init should write out sensitive files).

Lukas Märdian (slyon) on 2022-07-20

tags:

added: fr-2562

Lukas Märdian (slyon) on 2022-07-20

Changed in netplan:
status:	New → Triaged
importance:	Undecided → Wishlist

Revision history for this message

Lukas Märdian (slyon) wrote on 2023-01-24:

Thank you for the suggestions in comment #1.

(2) has been implemented in:
https://github.com/canonical/netplan/pull/300

(1) got implemented just now, to be reflected in our docs:
https://netplan.readthedocs.io/en/latest/reference.html
https://github.com/canonical/netplan/commit/db043801d0d7838d84cb7d0e4e07b6088e2d5771

I'll keep this bug open as a feature request (wishlist) to consider the implementation of (3)

Revision history for this message

Alex Dehnert (adehnert) wrote on 2023-05-02:

Any chance of getting the cloud-init side of this fixed? It's disconcerting to find my wifi passwords world-readable, and according to the comment at the top of the file:
# This file is generated from information provided by the datasource. Changes
# to it will not persist across an instance reboot.

That suggests I can't just fix the permissions and leave it alone. (OTOH, actually changing that file doesn't seem to have my changes, to either permissions or content, overwritten.)

Revision history for this message

James Falcon (falcojr) wrote on 2023-05-02:

The cloud-init side of this is is available on Ubuntu 23.04+. Older releases will not see this functionality as to not break backwards compatibility.

Change landed in https://github.com/canonical/cloud-init/pull/1891 .