You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have a script that opens 2 ssm sessions in parallel, and on a brand new ec2 instance, when we run this script, it messed up the ssm-user's home directory permissions:
id
uid=30034(ssm-user) gid=30034(ssm-user) groups=30034(ssm-user)
ssm-user@ip:/var/snap/amazon-ssm-agent/7993$ echo $HOME
/home/ssm-user
ssm-user@ip:/var/snap/amazon-ssm-agent/7993$ sudo ls -ld $HOME
drwxr-x--- 2 30033 30033 4096 Jun 10 13:58 /home/ssm-user
2024-06-10 13:57:10 INFO [ssm-session-worker] [REDACTED-1] [DataBackend] [pluginName=InteractiveCommands] Successfully created ssm-user
2024-06-10 13:57:10 INFO [ssm-session-worker] [REDACTED-2] [DataBackend] [pluginName=InteractiveCommands] Successfully created ssm-user
There should be some kind of safety / lock in place to prevent the ssm-agent from attempting to create multiple users with the same login at the same time on initial login.
The text was updated successfully, but these errors were encountered:
Session Manager does not override the permission when creating home directory. So it uses the default the OS defines. The default permission for home directory varies among different platforms. E.g, prior to Ubuntu 21.04, the default home directory permission is 755. And starting from Ubuntu 21.04, the default home directory permission is 750, which is what your home directory permission is. And there are some OSes that default to even more permissive permission set like 777.
What is the OS of your EC2 instance? And if you run useradd command on the instance to create a user directly, what's the permission of the home directory of that user?
And if you run useradd command on the instance to create a user directly, what's the permission of the home directory of that user?
the problem isn't itself with the home directory being 750, this is fine. The problem is that the 2nd session overwrote/updated the uid/gid of the ssm-user such that the ssm-user both user & group were no longer the owners of the /home/ssm-user directory.
The id command returns 30034 for the ssm-user but the home directory is owned by 30033
We have a script that opens 2 ssm sessions in parallel, and on a brand new ec2 instance, when we run this script, it messed up the ssm-user's home directory permissions:
There should be some kind of safety / lock in place to prevent the ssm-agent from attempting to create multiple users with the same login at the same time on initial login.
The text was updated successfully, but these errors were encountered: