coreos-status November 2021

coreos-status@lists.fedoraproject.org

2 participants
2 discussions

Overly permissive file modes in previous Fedora CoreOS releases

by Benjamin Gilbert

Hi all, A small, but important, set of files was incorrectly given group write permission on Fedora CoreOS systems for a few releases. In addition, Ignition configs written by coreos-installer before 0.10.0 were made world-readable, potentially exposing secrets to unprivileged users on the host. Both problems were corrected automatically when affected systems were upgraded to newer releases. Group-writable files -------------------- The following (potentially non-exhaustive) list of files were inadvertently made writable by the `root` group: /etc/crypto-policies/state/current /etc/group /etc/group- /etc/iscsi/initiatorname.iscsi /etc/passwd /etc/passwd- /etc/selinux/config /etc/ssh/sshd_config.d/40-disable-passwords.conf /etc/systemd/dont-synthesize-nobody This is only an issue if unprivileged users or rootful containers had access to the `root` group (i.e. having processes running under an unprivileged UID but with the `root` group) as they could have potentially altered those files and thus escalated privileges. New installations starting from version 34.20210611.3.0 (stable), 34.20210611.2.0 (testing), 34.20210611.1.0 (next) and later are unaffected. All existing systems that have updated to an unaffected version have automatically fixed the affected permissions and no action is required. You can verify that no other file or directory has those permission bits set with the following command: sudo find /etc -type f,d -perm /022 This issue is tracked in fedora-coreos-tracker #829 [1]. World-readable Ignition configs (CVE-2021-3917) ----------------------------------------------- On systems installed with coreos-installer before 0.10.0, /boot/ignition/config.ign was made world-readable, giving unprivileged users access to any secrets included in that file. Instances launched from a cloud image, and systems provisioned with the ignition.config.url kernel argument, do not use that file and are unaffected. coreos-installer 0.10.0 and later writes the Ignition config with restrictive permissions. In addition, on Fedora CoreOS systems installed from version 34.20210711.3.0 (stable), 34.20210711.2.0 (testing), 34.20210711.1.1 (next) and later, the /boot/ignition directory and its contents are removed after provisioning is complete. All existing systems that have updated to an unaffected version have automatically removed the /boot/ignition directory and no action is required. This issue is tracked in fedora-coreos-tracker #889 [2]. Best, --Timothée Ravier and Benjamin Gilbert [1]: https://github.com/coreos/fedora-coreos-tracker/issues/829 [2]: https://github.com/coreos/fedora-coreos-tracker/issues/889

2 years, 5 months

1
0
0 / 0

Fedora CoreOS streams rebasing to Fedora Linux 35

by Dusty Mabe

Over the next few weeks we're rolling out Fedora Linux 35 to the `testing` and `stable` streams of Fedora CoreOS. During the Fedora 35 development cycle we followed the Fedora Change process more closely [1] in order to provide a smoother transition of incoming Fedora Changes. Current known issues with recent kernels (F34 & F35): - AWS `m6i` instances fail to boot [2] - Some OKD [3] and Kubernetes [4] workloads cause kernel deadlock Some highlights of recently added features: - cgroups v2 is now the default [5] - Ignition now supports setting/updating kernel arguments [6] - DNF Count Me support was added and is now enabled by default [7]. - 64-bit ARM (aarch64) artifacts are now available [8] - Raspberry Pi 4 install documentation is now available [9] - systemd-resolved is now fully enabled [10] Some new features landing in the coming months: - Support for Virtualbox [11] - Support for a minimal ISO image [12] - Support for Nutanix [13] - Switching to iptables-nft by default [14] Thanks to everyone who participated in the test day [15] and to everyone that follows the `testing` and `next` streams to help us identify and fix issues before they get to `stable`. Dusty Mabe, for the Fedora CoreOS team [1] https://github.com/coreos/fedora-coreos-tracker/issues/856 [2] https://github.com/coreos/fedora-coreos-tracker/issues/1004 [3] https://github.com/coreos/fedora-coreos-tracker/issues/957 [4] https://github.com/coreos/fedora-coreos-tracker/issues/940 [5] https://github.com/coreos/fedora-coreos-tracker/issues/292 [6] https://github.com/coreos/ignition/issues/1168 [7] https://github.com/coreos/fedora-coreos-tracker/issues/717 [8] https://github.com/coreos/fedora-coreos-tracker/issues/13 [9] https://docs.fedoraproject.org/en-US/fedora-coreos/provisioning-raspberry... [10] https://github.com/coreos/fedora-coreos-tracker/issues/834 [11] https://github.com/coreos/fedora-coreos-tracker/issues/1008 [12] https://github.com/coreos/fedora-coreos-tracker/issues/868 [13] https://github.com/coreos/fedora-coreos-tracker/issues/1007 [14] https://github.com/coreos/fedora-coreos-tracker/issues/676 [15] https://github.com/coreos/fedora-coreos-tracker/issues/973#issuecomment-9... Over the next two days we're rolling out the first Fedora 34 based Fedora CoreOS into the `stable` stream. Some notable issues/configurations: - Very old systems (Fedora 32 and earlier) may not be able to update [0] - systemd-resolved is still enabled but not used yet [1] Here are some highlights of recently added features in Fedora CoreOS: - The `/boot` partition is now mounted read-only. - This continues the work to protect more of the OS from accidental damage. - It is now possible to configure boot disk RAID 1 mirroring via Ignition [2]. - Better introspection into the state of Zincati (the update agent) from `rpm-ostree status`. - Better support for disk encryption. - Initial (non-automatic) support for updating the bootloader. [3] Here are some new features landing in the coming months: - Support for specifying kernel arguments via Ignition [4]. - Move to cgroup v2 by default [5]. - DNF Count Me support for Fedora CoreOS [6]. Thanks to everyone who participated in the test day [7] and to everyone that run the `testing` and `next` streams to help us identify and fix issues before they get to `stable`. Dusty Mabe, for the Fedora CoreOS team [0] https://github.com/coreos/fedora-coreos-tracker/issues/749#issuecomment-8... [1] https://github.com/coreos/fedora-coreos-tracker/issues/834 [2] https://docs.fedoraproject.org/en-US/fedora-coreos/storage/#_reconfigurin... [3] https://docs.fedoraproject.org/en-US/fedora-coreos/bootloader-updates/ [4] https://github.com/coreos/ignition/issues/1168 [5] https://github.com/coreos/fedora-coreos-tracker/issues/292 [6] https://github.com/coreos/fedora-coreos-tracker/issues/717 [7] https://testdays.fedoraproject.org/events/113 _______________________________________________ CoreOS mailing list -- coreos(a)lists.fedoraproject.org To unsubscribe send an email to coreos-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/coreos@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

2 years, 5 months

1
0
0 / 0

← Newer
1
Older →

2024

2023

2022

2021

2020

2019

coreos-status November 2021