Backport "install: restrict access permissions on /boot/ignition{,/config.ign}"

https://github.com/coreos/coreos-installer/pull/571
This commit is contained in:
Jonathan Lebon 2021-07-13 11:49:16 -04:00
parent be53a303bc
commit e48cffe16d
2 changed files with 78 additions and 1 deletions

View File

@ -9,13 +9,14 @@
Name: rust-%{crate} Name: rust-%{crate}
Version: 0.9.1 Version: 0.9.1
Release: 1%{?dist} Release: 2%{?dist}
Summary: Installer for Fedora CoreOS and RHEL CoreOS Summary: Installer for Fedora CoreOS and RHEL CoreOS
# Upstream license specification: Apache-2.0 # Upstream license specification: Apache-2.0
License: ASL 2.0 License: ASL 2.0
URL: https://crates.io/crates/coreos-installer URL: https://crates.io/crates/coreos-installer
Source: %{crates_source} Source: %{crates_source}
Patch0: v0.9.1-install-restrict-access-permissions-on-boot-ignition.patch
ExclusiveArch: %{rust_arches} ExclusiveArch: %{rust_arches}
@ -128,6 +129,10 @@ RHEL CoreOS. It is not needed on other platforms.
%endif %endif
%changelog %changelog
* Tue Jul 13 2021 Jonathan Lebon <jonathan@jlebon.com> - 0.9.1-2
- Backport "install: restrict access permissions on /boot/ignition{,/config.ign}"
https://github.com/coreos/coreos-installer/pull/571
* Mon May 17 2021 Sohan Kunkerkar <skunkerk@redhat.com> - 0.9.1-1 * Mon May 17 2021 Sohan Kunkerkar <skunkerk@redhat.com> - 0.9.1-1
- New release - New release

View File

@ -0,0 +1,72 @@
From 2a36405339c87b16ed6c76e91ad5b76638fbdb0c Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@redhat.com>
Date: Tue, 6 Jul 2021 13:07:30 -0400
Subject: [PATCH] install: restrict access permissions on
/boot/ignition{,/config.ign}
The Ignition config may contain secrets. Don't expose it, or anything in
its parent directory, to unprivileged processes.
https://github.com/coreos/fedora-coreos-tracker/issues/889
---
src/install.rs | 29 ++++++++++++++++++++++++++---
1 file changed, 26 insertions(+), 3 deletions(-)
diff --git a/src/install.rs b/src/install.rs
index 20d1f41..3640723 100644
--- a/src/install.rs
+++ b/src/install.rs
@@ -16,9 +16,11 @@ use anyhow::{bail, Context, Result};
use lazy_static::lazy_static;
use nix::mount;
use regex::Regex;
-use std::fs::{copy as fscopy, create_dir_all, read_dir, File, OpenOptions};
+use std::fs::{
+ copy as fscopy, create_dir_all, read_dir, set_permissions, File, OpenOptions, Permissions,
+};
use std::io::{copy, Read, Seek, SeekFrom, Write};
-use std::os::unix::fs::FileTypeExt;
+use std::os::unix::fs::{FileTypeExt, PermissionsExt};
use std::path::{Path, PathBuf};
use crate::blockdev::*;
@@ -248,7 +250,21 @@ fn write_ignition(
// make parent directory
let mut config_dest = mountpoint.to_path_buf();
config_dest.push("ignition");
- create_dir_all(&config_dest).context("creating Ignition config directory")?;
+ if !config_dest.is_dir() {
+ create_dir_all(&config_dest).with_context(|| {
+ format!(
+ "creating Ignition config directory {}",
+ config_dest.display()
+ )
+ })?;
+ // Ignition data may contain secrets; restrict to root
+ set_permissions(&config_dest, Permissions::from_mode(0o700)).with_context(|| {
+ format!(
+ "setting file mode for Ignition directory {}",
+ config_dest.display()
+ )
+ })?;
+ }
// do the copy
config_dest.push("config.ign");
@@ -262,6 +278,13 @@ fn write_ignition(
config_dest.display()
)
})?;
+ // Ignition config may contain secrets; restrict to root
+ set_permissions(&config_dest, Permissions::from_mode(0o600)).with_context(|| {
+ format!(
+ "setting file mode for destination Ignition config {}",
+ config_dest.display()
+ )
+ })?;
copy(&mut config_in, &mut config_out).context("writing Ignition config")?;
Ok(())
--
2.31.1