73 lines
2.5 KiB
Diff
73 lines
2.5 KiB
Diff
From 2a36405339c87b16ed6c76e91ad5b76638fbdb0c Mon Sep 17 00:00:00 2001
|
|
From: Benjamin Gilbert <bgilbert@redhat.com>
|
|
Date: Tue, 6 Jul 2021 13:07:30 -0400
|
|
Subject: [PATCH] install: restrict access permissions on
|
|
/boot/ignition{,/config.ign}
|
|
|
|
The Ignition config may contain secrets. Don't expose it, or anything in
|
|
its parent directory, to unprivileged processes.
|
|
|
|
https://github.com/coreos/fedora-coreos-tracker/issues/889
|
|
---
|
|
src/install.rs | 29 ++++++++++++++++++++++++++---
|
|
1 file changed, 26 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/src/install.rs b/src/install.rs
|
|
index 20d1f41..3640723 100644
|
|
--- a/src/install.rs
|
|
+++ b/src/install.rs
|
|
@@ -16,9 +16,11 @@ use anyhow::{bail, Context, Result};
|
|
use lazy_static::lazy_static;
|
|
use nix::mount;
|
|
use regex::Regex;
|
|
-use std::fs::{copy as fscopy, create_dir_all, read_dir, File, OpenOptions};
|
|
+use std::fs::{
|
|
+ copy as fscopy, create_dir_all, read_dir, set_permissions, File, OpenOptions, Permissions,
|
|
+};
|
|
use std::io::{copy, Read, Seek, SeekFrom, Write};
|
|
-use std::os::unix::fs::FileTypeExt;
|
|
+use std::os::unix::fs::{FileTypeExt, PermissionsExt};
|
|
use std::path::{Path, PathBuf};
|
|
|
|
use crate::blockdev::*;
|
|
@@ -248,7 +250,21 @@ fn write_ignition(
|
|
// make parent directory
|
|
let mut config_dest = mountpoint.to_path_buf();
|
|
config_dest.push("ignition");
|
|
- create_dir_all(&config_dest).context("creating Ignition config directory")?;
|
|
+ if !config_dest.is_dir() {
|
|
+ create_dir_all(&config_dest).with_context(|| {
|
|
+ format!(
|
|
+ "creating Ignition config directory {}",
|
|
+ config_dest.display()
|
|
+ )
|
|
+ })?;
|
|
+ // Ignition data may contain secrets; restrict to root
|
|
+ set_permissions(&config_dest, Permissions::from_mode(0o700)).with_context(|| {
|
|
+ format!(
|
|
+ "setting file mode for Ignition directory {}",
|
|
+ config_dest.display()
|
|
+ )
|
|
+ })?;
|
|
+ }
|
|
|
|
// do the copy
|
|
config_dest.push("config.ign");
|
|
@@ -262,6 +278,13 @@ fn write_ignition(
|
|
config_dest.display()
|
|
)
|
|
})?;
|
|
+ // Ignition config may contain secrets; restrict to root
|
|
+ set_permissions(&config_dest, Permissions::from_mode(0o600)).with_context(|| {
|
|
+ format!(
|
|
+ "setting file mode for destination Ignition config {}",
|
|
+ config_dest.display()
|
|
+ )
|
|
+ })?;
|
|
copy(&mut config_in, &mut config_out).context("writing Ignition config")?;
|
|
|
|
Ok(())
|
|
--
|
|
2.31.1
|
|
|