EC2 Bootstrap script not executed on Ubuntu

Question

I am trying to set bootstrap script for EC2 Ubuntu machine with below CLI commands:

#cloud-boothook
#!/bin/bash
sudo chmod 750 -R  /home/

Above text is set via AWS console in user data.

Once machine has started running, change mode still not amended by above user data script.

Tried alternative command as:

Content-Type: text/cloud-boothook
Content-Type: text/x-shellscript
sudo chmod 750 -R  /home/

Still directory permission is not changed.

My objective is to set user home directory with 750 change mode on machine startup.

I would appreciate any solution to this.

Here is the error message appearing for me:

[[0;32m  OK  [0m] Started Initial cloud-init job (pre-networking).
[[0;32m  OK  [0m] Reached target Network (Pre).
[[0;32m  OK  [0m] Started ifup for eth0.
         Starting Raise network interfaces...
[[0;32m  OK  [0m] Started Raise network interfaces.
[[0;32m  OK  [0m] Reached target Network.
         Starting Initial cloud-init job (metadata service crawler)...
[    7.535726] cloud-init[1003]: Cloud-init v. 0.7.9 running 'init' at Sun, 29 Oct 2017 19:44:35 +0000. Up 7.23 seconds.
[    7.548260] cloud-init[1003]: ci-info: ++++++++++++++++++++++++++++++++++++++Net device info++++++++++++++++++++++++++++++++++++++
[    7.565098] cloud-init[1003]: ci-info: +--------+------+-----------------------------+---------------+-------+-------------------+
[    7.580238] cloud-init[1003]: ci-info: | Device |  Up  |           Address           |      Mask     | Scope |     Hw-Address    |
[    7.592760] cloud-init[1003]: ci-info: +--------+------+-----------------------------+---------------+-------+-------------------+
[    7.602150] cloud-init[1003]: ci-info: |   lo   | True |          127.0.0.1          |   255.0.0.0   |   .   |         .         |
[    7.613465] cloud-init[1003]: ci-info: |   lo   | True |           ::1/128           |       .       |  host |         .         |
[    7.625404] cloud-init[1003]: ci-info: |  eth0  | True |        172.31.19.221        | 255.255.240.0 |   .   | 06:ad:ba:ed:47:10 |
[    7.635005] cloud-init[1003]: ci-info: |  eth0  | True | fe80::4ad:baff:feed:4710/64 |       .       |  link | 06:ad:ba:ed:47:10 |
[    7.648580] cloud-init[1003]: ci-info: +--------+------+-----------------------------+---------------+-------+-------------------+
[    7.663022] cloud-init[1003]: ci-info: +++++++++++++++++++++++++++++Route IPv4 info+++++++++++++++++++++++++++++
[    7.674192] cloud-init[1003]: ci-info: +-------+-------------+-------------+---------------+-----------+-------+
[    7.682430] cloud-init[1003]: ci-info: | Route | Destination |   Gateway   |    Genmask    | Interface | Flags |
[    7.690935] cloud-init[1003]: ci-info: +-------+-------------+-------------+---------------+-----------+-------+
[    7.703027] cloud-init[1003]: ci-info: |   0   |   0.0.0.0   | 172.31.16.1 |    0.0.0.0    |    eth0   |   UG  |
[    7.712719] cloud-init[1003]: ci-info: |   1   | 172.31.16.0 |   0.0.0.0   | 255.255.240.0 |    eth0   |   U   |
[    7.719950] cloud-init[1003]: ci-info: +-------+-------------+-------------+---------------+-----------+-------+
**[    7.728024] cloud-init[1003]: 2017-10-29 19:44:35,859 - __init__.py[WARNING]: Unhandled non-multipart (text/x-not-multipart) userdata: 'b'Content-Type: text/cloud'...'**
[[0;32m  OK  [0m] Started Initial cloud-init job (metadata service crawler).
[[0;32m  OK  [0m] Reached target Cloud-config availability.
[[0;32m  OK  [0m] Reached target System Initialization.
[[0;32m  OK  [0m] Listening on D-Bus System Message Bus Socket.
         Starting Socket activation for snappy daemon.

Which AMI are you using? Is it from the list in the QuickStart section of the EC2 launch wizard? — John Rotenstein, Oct 29 '17 at 22:22
I am using free tier T2. This is from launch instance option from EC2. — Pradeep Prasad, Oct 30 '17 at 13:43
It worked for me! In fact, it worked so well that I couldn't even login to the instance afterwards due to the changed `/home` permissions! Perhaps your intention was something else? — John Rotenstein, Oct 30 '17 at 21:40
Good Morning John, I am really sorry that you were not able to login again. Just wondering my intention get to change the access permission to home directory as this is security requirement. I would appreciate if there is any other options available. — Pradeep Prasad, Oct 31 '17 at 10:35
WHAT is your actual security requirement? If you following documented requirements, please share those requirements. — John Rotenstein, Oct 31 '17 at 10:48

score 0 · Accepted Answer · answered Oct 31 '17 at 10:47

0

You are assigning 750 permission to /home recursively.

750 means:

The Owner may read, write and execute.
The Group may read and execute. (but not write)
The world may not do anything with this file.

The /home directory itself is owned by root and is in the root group. Therefore, after recursively applying 750, only root can access the contents of /home (including other users' home directories).

Therefore, you really don't want to do that.

answered Oct 31 '17 at 10:47

John Rotenstein

241,921
22
380
470

Thanks for your response John, this is our intent to not to provide all access to non root providers. – Pradeep Prasad Oct 31 '17 at 10:51
It means they cannot even login because they can't access their own directory. Is that your intention too? Even the `ubuntu` user can't login because they aren't `root`. – John Rotenstein Oct 31 '17 at 10:52
Thanks for giving more insight. I will do more research and try to get alternate solution. I appreciate your help in this context. – Pradeep Prasad Oct 31 '17 at 11:28

EC2 Bootstrap script not executed on Ubuntu

1 Answers1