Skip to content

DLPX-93763 GCP cloud-init may allow privileged user creation #108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
david-mendez1 wants to merge 2 commits into from
Closed

DLPX-93763 GCP cloud-init may allow privileged user creation #108

david-mendez1 wants to merge 2 commits into from

Conversation

@david-mendez1
Copy link

@david-mendez1 david-mendez1 commented Mar 27, 2025
edited
Loading

Background

Recently, a customer provided examples of privileged shell access with a custom user created on a GCP deployment. This seemed to indicate that an arbitrary user was created, possibly during VM creation.

In further review and discussion with others in #dlpx-gcp Slack room, it appears that user-metadata can be leveraged to ‘insert’ operations via cloud-init and thereby create additional users on the Delphix VM.

Problem

Originally Delphix removed the module `users-groups` from cloud.cfg.tmpl to avoid this issue of being able to create a user. 2 yrs ago, upstream changed the format of the cloud init modules to use underscores rather than hyphens. During a merge conflict, we inadvertently merged the unwanted `users_groups` back into cloud.init.

canonical/cloud-init#4272

Solution

Remove users_groups from cloud.cfg.tmpl

Testing Done

https://selfservice-jenkins.eng-tools-prd.aws.delphixcloud.com/job/appliance-build-orchestrator-pre-push/10685/
Note: upgrade failed due to know bug https://perforce.atlassian.net/browse/DLPX-93809

@david-mendez1 david-mendez1 force-pushed the dlpx/pr/david-mendez1/724e0754-e0bb-493d-8912-971a42d9d13a branch from 29132aa to 8866b7c Compare March 27, 2025 00:38
@david-mendez1 david-mendez1 marked this pull request as ready for review March 27, 2025 00:55
jwk404
jwk404 approved these changes Mar 27, 2025
View reviewed changes
Copy link
Contributor

@jwk404 jwk404 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, pending a good test run.

mend-for-github-com bot and others added 2 commits May 29, 2025 12:36
@mend-for-github-com @ShibasishDelphix @david-mendez1
DLPX-93075 Configure Mend for cloud-init (#95)
bbed0a5 
* Add .whitesource configuration file

* DLPX-93075 Configure Mend for cloud-init

---------

Co-authored-by: mend-for-github-com[bot] <50673670+mend-for-github-com[bot]@users.noreply.github.com>
Co-authored-by: Shibasish Nandi <[email protected]>
@david-mendez1
DLPX-93763 GCP cloud-init may allow privileged user creation
9dd1b8f 
PR URL: https://www.github.com/delphix/cloud-init/pull/108
@david-mendez1 david-mendez1 force-pushed the dlpx/pr/david-mendez1/724e0754-e0bb-493d-8912-971a42d9d13a branch from 8866b7c to 9dd1b8f Compare May 29, 2025 19:37
@david-mendez1
Copy link
Author

david-mendez1 commented May 29, 2025

Fix not needed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sebroy sebroy Awaiting requested review from sebroy

@prakashsurya prakashsurya Awaiting requested review from prakashsurya

1 more reviewer

@jwk404 jwk404 jwk404 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@david-mendez1 @jwk404