search

aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).
https://aws.amazon.com/systems-manager/
Apache License 2.0
1.03k stars 323 forks source link

openning 2 ssm sessions in parallel for the first time attempts to create duplicate ssm-user #573

Open thomasdziedzic-calmwave opened 3 weeks ago

thomasdziedzic-calmwave commented 3 weeks ago

We have a script that opens 2 ssm sessions in parallel, and on a brand new ec2 instance, when we run this script, it messed up the ssm-user's home directory permissions:

id
uid=30034(ssm-user) gid=30034(ssm-user) groups=30034(ssm-user)
ssm-user@ip:/var/snap/amazon-ssm-agent/7993$ echo $HOME
/home/ssm-user
ssm-user@ip:/var/snap/amazon-ssm-agent/7993$ sudo ls -ld $HOME
drwxr-x--- 2 30033 30033 4096 Jun 10 13:58 /home/ssm-user
2024-06-10 13:57:10 INFO [ssm-session-worker] [REDACTED-1] [DataBackend] [pluginName=InteractiveCommands] Successfully created ssm-user
2024-06-10 13:57:10 INFO [ssm-session-worker] [REDACTED-2] [DataBackend] [pluginName=InteractiveCommands] Successfully created ssm-user

There should be some kind of safety / lock in place to prevent the ssm-agent from attempting to create multiple users with the same login at the same time on initial login.

yuting-fan commented 1 week ago

Hi @thomasdziedzic-calmwave,

Session Manager does not override the permission when creating home directory. So it uses the default the OS defines. The default permission for home directory varies among different platforms. E.g, prior to Ubuntu 21.04, the default home directory permission is 755. And starting from Ubuntu 21.04, the default home directory permission is 750, which is what your home directory permission is. And there are some OSes that default to even more permissive permission set like 777.

What is the OS of your EC2 instance? And if you run useradd command on the instance to create a user directly, what's the permission of the home directory of that user?

Regards, Yuting

thomasdziedzic-calmwave commented 1 week ago

What is the OS of your EC2 instance?

ubuntu 22.04

And if you run useradd command on the instance to create a user directly, what's the permission of the home directory of that user?

the problem isn't itself with the home directory being 750, this is fine. The problem is that the 2nd session overwrote/updated the uid/gid of the ssm-user such that the ssm-user both user & group were no longer the owners of the /home/ssm-user directory.

The id command returns 30034 for the ssm-user but the home directory is owned by 30033