open-vault/vault/diagnose/file_checks.go

91 lines
2.0 KiB
Go
Raw Normal View History

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package diagnose
import (
"fmt"
"io/fs"
"os"
"path/filepath"
)
const (
FileIsSymlinkWarning = "raft storage backend file is a symlink"
FileTooPermissiveWarning = "too many permissions"
FilePermissionsMissingWarning = "owner or group needs read and write permissions"
)
func IsDir(info fs.FileInfo) bool {
if info.Mode().IsDir() {
return true
}
return false
}
func HasDB(path string) bool {
dbPath := filepath.Join(path, DatabaseFilename)
if _, err := os.Stat(dbPath); os.IsNotExist(err) {
return false
}
return true
}
// CheckFilePerms checks if the specified file does not have other permissions, and
// whether the specified file just has owner rw permissions.
func CheckFilePerms(info fs.FileInfo) (bool, []string) {
var errors []string
mode := info.Mode()
hasOnlyOwnerRW := false
hasOwnerRead := false
hasOwnerWrite := false
hasSomeRead := false
hasSomeWrite := false
// Check owner perms
2022-01-27 18:06:34 +00:00
if mode&0o400 != 0 {
hasSomeRead = true
hasOwnerRead = true
}
2022-01-27 18:06:34 +00:00
if mode&0o200 != 0 {
hasSomeWrite = true
hasOwnerWrite = true
}
if hasOwnerRead && hasOwnerWrite {
hasOnlyOwnerRW = true
}
// These are "other" perms.
// These don't count has "some read" or "some write" permissions because there should
// never be a case when these permissions are set.
2022-01-27 18:06:34 +00:00
if mode&0o007 != 0 {
hasOnlyOwnerRW = false
errors = append(errors, fmt.Sprintf(FileTooPermissiveWarning+": perms are %s", mode.String()))
}
// Check group permissions
2022-01-27 18:06:34 +00:00
if mode&0o040 != 0 {
hasOnlyOwnerRW = false
hasSomeRead = true
}
2022-01-27 18:06:34 +00:00
if mode&0o020 != 0 {
hasOnlyOwnerRW = false
hasSomeWrite = true
}
2022-01-27 18:06:34 +00:00
// check that owners have read and write permissions
if !hasSomeRead || !hasSomeWrite {
errors = append(errors, fmt.Sprintf(FilePermissionsMissingWarning+": perms are %s", mode.String()))
}
if mode&os.ModeSymlink != 0 {
errors = append(errors, FileIsSymlinkWarning)
}
if hasOnlyOwnerRW {
return true, errors
}
return false, errors
}