From 9ae2a8570023e9db1deed700d4f1cb87f9d47104 Mon Sep 17 00:00:00 2001 From: hghaf099 <83242695+hghaf099@users.noreply.github.com> Date: Fri, 1 Apr 2022 12:57:38 -0400 Subject: [PATCH] Fixing excessive unix file permissions (#14791) * Fixing excessive unix file permissions * CL * reduce the permission from 750 to 700 --- changelog/14791.txt | 3 +++ command/agent.go | 2 +- command/operator_raft_snapshot_save.go | 2 +- command/server.go | 4 ++-- physical/raft/raft.go | 2 +- physical/raft/snapshot.go | 4 ++-- 6 files changed, 10 insertions(+), 7 deletions(-) create mode 100644 changelog/14791.txt diff --git a/changelog/14791.txt b/changelog/14791.txt new file mode 100644 index 000000000..b9e431548 --- /dev/null +++ b/changelog/14791.txt @@ -0,0 +1,3 @@ +```release-note:bug +core: fixing excessive unix file permissions +``` diff --git a/command/agent.go b/command/agent.go index 31a6f7336..6bafd4cb0 100644 --- a/command/agent.go +++ b/command/agent.go @@ -979,7 +979,7 @@ func (c *AgentCommand) storePidFile(pidPath string) error { } // Open the PID file - pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o644) + pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600) if err != nil { return fmt.Errorf("could not open pid file: %w", err) } diff --git a/command/operator_raft_snapshot_save.go b/command/operator_raft_snapshot_save.go index 825bb303a..496b0a7b5 100644 --- a/command/operator_raft_snapshot_save.go +++ b/command/operator_raft_snapshot_save.go @@ -76,7 +76,7 @@ func (c *OperatorRaftSnapshotSaveCommand) Run(args []string) int { w := &lazyOpenWriter{ openFunc: func() (io.WriteCloser, error) { - return os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o644) + return os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600) }, } diff --git a/command/server.go b/command/server.go index e27f31d93..656bfc285 100644 --- a/command/server.go +++ b/command/server.go @@ -1926,7 +1926,7 @@ func (c *ServerCommand) enableThreeNodeDevCluster(base *vault.CoreConfig, info m return 1 } - if err := ioutil.WriteFile(filepath.Join(testCluster.TempDir, "root_token"), []byte(testCluster.RootToken), 0o755); err != nil { + if err := ioutil.WriteFile(filepath.Join(testCluster.TempDir, "root_token"), []byte(testCluster.RootToken), 0o600); err != nil { c.UI.Error(fmt.Sprintf("Error writing token to tempfile: %s", err)) return 1 } @@ -2158,7 +2158,7 @@ func (c *ServerCommand) storePidFile(pidPath string) error { } // Open the PID file - pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o644) + pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600) if err != nil { return fmt.Errorf("could not open pid file: %w", err) } diff --git a/physical/raft/raft.go b/physical/raft/raft.go index b356998d1..3a302f689 100644 --- a/physical/raft/raft.go +++ b/physical/raft/raft.go @@ -274,7 +274,7 @@ func EnsurePath(path string, dir bool) error { if !dir { path = filepath.Dir(path) } - return os.MkdirAll(path, 0o755) + return os.MkdirAll(path, 0o700) } // NewRaftBackend constructs a RaftBackend using the given directory diff --git a/physical/raft/snapshot.go b/physical/raft/snapshot.go index 7e3f875b0..cebcdb0a4 100644 --- a/physical/raft/snapshot.go +++ b/physical/raft/snapshot.go @@ -86,7 +86,7 @@ func NewBoltSnapshotStore(base string, logger log.Logger, fsm *FSM) (*BoltSnapsh // Ensure our path exists path := filepath.Join(base, snapPath) - if err := os.MkdirAll(path, 0o755); err != nil && !os.IsExist(err) { + if err := os.MkdirAll(path, 0o700); err != nil && !os.IsExist(err) { return nil, fmt.Errorf("snapshot path not accessible: %v", err) } @@ -324,7 +324,7 @@ func (s *BoltSnapshotSink) writeBoltDBFile() error { s.logger.Info("creating new snapshot", "path", path) // Make the directory - if err := os.MkdirAll(path, 0o755); err != nil { + if err := os.MkdirAll(path, 0o700); err != nil { s.logger.Error("failed to make snapshot directory", "error", err) return err }