Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openning 2 ssm sessions in parallel for the first time attempts to create duplicate ssm-user #573

Open
thomasdziedzic-calmwave opened this issue Jun 10, 2024 · 2 comments
Open

openning 2 ssm sessions in parallel for the first time attempts to create duplicate ssm-user #573

thomasdziedzic-calmwave opened this issue Jun 10, 2024 · 2 comments

Comments

@thomasdziedzic-calmwave
Copy link

thomasdziedzic-calmwave commented Jun 10, 2024
edited
Loading

We have a script that opens 2 ssm sessions in parallel, and on a brand new ec2 instance, when we run this script, it messed up the ssm-user's home directory permissions:

id
uid=30034(ssm-user) gid=30034(ssm-user) groups=30034(ssm-user)
ssm-user@ip:/var/snap/amazon-ssm-agent/7993$ echo $HOME
/home/ssm-user
ssm-user@ip:/var/snap/amazon-ssm-agent/7993$ sudo ls -ld $HOME
drwxr-x--- 2 30033 30033 4096 Jun 10 13:58 /home/ssm-user

2024-06-10 13:57:10 INFO [ssm-session-worker] [REDACTED-1] [DataBackend] [pluginName=InteractiveCommands] Successfully created ssm-user
2024-06-10 13:57:10 INFO [ssm-session-worker] [REDACTED-2] [DataBackend] [pluginName=InteractiveCommands] Successfully created ssm-user

There should be some kind of safety / lock in place to prevent the ssm-agent from attempting to create multiple users with the same login at the same time on initial login.
@yuting-fan
Copy link
Contributor

Hi @thomasdziedzic-calmwave,

Session Manager does not override the permission when creating home directory. So it uses the default the OS defines. The default permission for home directory varies among different platforms. E.g, prior to Ubuntu 21.04, the default home directory permission is 755. And starting from Ubuntu 21.04, the default home directory permission is 750, which is what your home directory permission is. And there are some OSes that default to even more permissive permission set like 777.

What is the OS of your EC2 instance? And if you run useradd command on the instance to create a user directly, what's the permission of the home directory of that user?

Regards,
Yuting

@thomasdziedzic-calmwave
Copy link
Author

thomasdziedzic-calmwave commented Jun 20, 2024
edited
Loading

What is the OS of your EC2 instance?

ubuntu 22.04

And if you run useradd command on the instance to create a user directly, what's the permission of the home directory of that user?

the problem isn't itself with the home directory being 750, this is fine. The problem is that the 2nd session overwrote/updated the uid/gid of the ssm-user such that the ssm-user both user & group were no longer the owners of the /home/ssm-user directory.

The id command returns 30034 for the ssm-user but the home directory is owned by 30033

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yuting-fan @thomasdziedzic-calmwave