Proper Setup for Netplan YAML File Permission
Begin
Just during configuring the YAML file for the netplan to modify my own IP route settings, I had met the warning messages below when applying:
** (generate:40134): WARNING **: 09:28:29.011: Permissions for /etc/netplan/00-installer-config.yaml are too open. Netplan configuration should NOT be accessible by others.
** (generate:40134): WARNING **: 09:28:29.011: Permissions for /etc/netplan/01-network-manager-all.yaml are too open. Netplan configuration should NOT be accessible by others.Let’s dive in and check how to fix these warnings !
According to the message, it means that we have given too much permission which can allow non-root user to get the file content.
By checking the official documentation (ref) , they suggest only given read-write to root user only, which comes with 600 for the command option of chmod .
Netplan’s configuration files use the YAML (v1.1) format. All files in
/{lib,etc,run}/netplan/*.yamlare considered and are supposed to use restrictive file permissions (600/rw-------), i.e. owner (root) read-write only.
Before
As the following console output, we found that the YAML files are along with permission 644 which give read operation for user, that’s the cause for the warnings.
$ cd /etc/netplan
$ ls -l
-rw-r--r-- 1 root root 90 May 8 15:41 00-installer-config.yaml
-rw-r--r-- 1 root root 1066 May 16 16:26 01-network-manager-all.yamlOperation
$ cd /etc/netplan
$ sudo chmod 600 *.yaml
$
$ ls -l
-rw------- 1 root root 90 May 8 15:41 00-installer-config.yaml
-rw------- 1 root root 1066 May 16 16:26 01-network-manager-all.yamlFor now we have permission 600 for all YAML files inside directory /etc/netplan/ , just double check.
Check
$ cd /etc/netplan/
$ cat 01-network-manager-all.yaml
cat: 01-network-manager-all.yaml: Permission denied
$ sudo cat 01-network-manager-all.yaml
network:
version: 2
renderer: NetworkManager
......Here we have done with the correct permission !
It’ s time to make it try / apply.
$ sudo netplan try
$ sudo netplan applyThanks for your time.
If you have any further questions, please feel free to leave a comment below.
