From e48cffe16db2f462e53056b9bc4d723b73d1dfcd Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Tue, 13 Jul 2021 11:49:16 -0400 Subject: [PATCH] Backport "install: restrict access permissions on /boot/ignition{,/config.ign}" https://github.com/coreos/coreos-installer/pull/571 --- rust-coreos-installer.spec | 7 +- ...-access-permissions-on-boot-ignition.patch | 72 +++++++++++++++++++ 2 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 v0.9.1-install-restrict-access-permissions-on-boot-ignition.patch diff --git a/rust-coreos-installer.spec b/rust-coreos-installer.spec index 301eece..74a9561 100644 --- a/rust-coreos-installer.spec +++ b/rust-coreos-installer.spec @@ -9,13 +9,14 @@ Name: rust-%{crate} Version: 0.9.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Installer for Fedora CoreOS and RHEL CoreOS # Upstream license specification: Apache-2.0 License: ASL 2.0 URL: https://crates.io/crates/coreos-installer Source: %{crates_source} +Patch0: v0.9.1-install-restrict-access-permissions-on-boot-ignition.patch ExclusiveArch: %{rust_arches} @@ -128,6 +129,10 @@ RHEL CoreOS. It is not needed on other platforms. %endif %changelog +* Tue Jul 13 2021 Jonathan Lebon - 0.9.1-2 +- Backport "install: restrict access permissions on /boot/ignition{,/config.ign}" + https://github.com/coreos/coreos-installer/pull/571 + * Mon May 17 2021 Sohan Kunkerkar - 0.9.1-1 - New release diff --git a/v0.9.1-install-restrict-access-permissions-on-boot-ignition.patch b/v0.9.1-install-restrict-access-permissions-on-boot-ignition.patch new file mode 100644 index 0000000..558d140 --- /dev/null +++ b/v0.9.1-install-restrict-access-permissions-on-boot-ignition.patch @@ -0,0 +1,72 @@ +From 2a36405339c87b16ed6c76e91ad5b76638fbdb0c Mon Sep 17 00:00:00 2001 +From: Benjamin Gilbert +Date: Tue, 6 Jul 2021 13:07:30 -0400 +Subject: [PATCH] install: restrict access permissions on + /boot/ignition{,/config.ign} + +The Ignition config may contain secrets. Don't expose it, or anything in +its parent directory, to unprivileged processes. + +https://github.com/coreos/fedora-coreos-tracker/issues/889 +--- + src/install.rs | 29 ++++++++++++++++++++++++++--- + 1 file changed, 26 insertions(+), 3 deletions(-) + +diff --git a/src/install.rs b/src/install.rs +index 20d1f41..3640723 100644 +--- a/src/install.rs ++++ b/src/install.rs +@@ -16,9 +16,11 @@ use anyhow::{bail, Context, Result}; + use lazy_static::lazy_static; + use nix::mount; + use regex::Regex; +-use std::fs::{copy as fscopy, create_dir_all, read_dir, File, OpenOptions}; ++use std::fs::{ ++ copy as fscopy, create_dir_all, read_dir, set_permissions, File, OpenOptions, Permissions, ++}; + use std::io::{copy, Read, Seek, SeekFrom, Write}; +-use std::os::unix::fs::FileTypeExt; ++use std::os::unix::fs::{FileTypeExt, PermissionsExt}; + use std::path::{Path, PathBuf}; + + use crate::blockdev::*; +@@ -248,7 +250,21 @@ fn write_ignition( + // make parent directory + let mut config_dest = mountpoint.to_path_buf(); + config_dest.push("ignition"); +- create_dir_all(&config_dest).context("creating Ignition config directory")?; ++ if !config_dest.is_dir() { ++ create_dir_all(&config_dest).with_context(|| { ++ format!( ++ "creating Ignition config directory {}", ++ config_dest.display() ++ ) ++ })?; ++ // Ignition data may contain secrets; restrict to root ++ set_permissions(&config_dest, Permissions::from_mode(0o700)).with_context(|| { ++ format!( ++ "setting file mode for Ignition directory {}", ++ config_dest.display() ++ ) ++ })?; ++ } + + // do the copy + config_dest.push("config.ign"); +@@ -262,6 +278,13 @@ fn write_ignition( + config_dest.display() + ) + })?; ++ // Ignition config may contain secrets; restrict to root ++ set_permissions(&config_dest, Permissions::from_mode(0o600)).with_context(|| { ++ format!( ++ "setting file mode for destination Ignition config {}", ++ config_dest.display() ++ ) ++ })?; + copy(&mut config_in, &mut config_out).context("writing Ignition config")?; + + Ok(()) +-- +2.31.1 +