From f19843cbe03135e5d52b929b1060e95d047525c3 Mon Sep 17 00:00:00 2001 From: hghaf099 <83242695+hghaf099@users.noreply.github.com> Date: Mon, 4 Apr 2022 12:13:54 -0400 Subject: [PATCH] Fixing excessive unix file permissions (#14791) (#14873) * Fixing excessive unix file permissions * CL * reduce the permission from 750 to 700 --- changelog/14791.txt | 3 +++ command/agent.go | 2 +- command/operator_raft_snapshot_save.go | 2 +- command/server.go | 4 ++-- physical/raft/raft.go | 2 +- physical/raft/snapshot.go | 4 ++-- 6 files changed, 10 insertions(+), 7 deletions(-) create mode 100644 changelog/14791.txt diff --git a/changelog/14791.txt b/changelog/14791.txt new file mode 100644 index 000000000000..b9e43154877e --- /dev/null +++ b/changelog/14791.txt @@ -0,0 +1,3 @@ +```release-note:bug +core: fixing excessive unix file permissions +``` diff --git a/command/agent.go b/command/agent.go index 31a6f7336bc2..6bafd4cb072d 100644 --- a/command/agent.go +++ b/command/agent.go @@ -979,7 +979,7 @@ func (c *AgentCommand) storePidFile(pidPath string) error { } // Open the PID file - pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o644) + pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600) if err != nil { return fmt.Errorf("could not open pid file: %w", err) } diff --git a/command/operator_raft_snapshot_save.go b/command/operator_raft_snapshot_save.go index 825bb303a1c8..496b0a7b52c4 100644 --- a/command/operator_raft_snapshot_save.go +++ b/command/operator_raft_snapshot_save.go @@ -76,7 +76,7 @@ func (c *OperatorRaftSnapshotSaveCommand) Run(args []string) int { w := &lazyOpenWriter{ openFunc: func() (io.WriteCloser, error) { - return os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o644) + return os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600) }, } diff --git a/command/server.go b/command/server.go index e27f31d93f7a..656bfc28570f 100644 --- a/command/server.go +++ b/command/server.go @@ -1926,7 +1926,7 @@ func (c *ServerCommand) enableThreeNodeDevCluster(base *vault.CoreConfig, info m return 1 } - if err := ioutil.WriteFile(filepath.Join(testCluster.TempDir, "root_token"), []byte(testCluster.RootToken), 0o755); err != nil { + if err := ioutil.WriteFile(filepath.Join(testCluster.TempDir, "root_token"), []byte(testCluster.RootToken), 0o600); err != nil { c.UI.Error(fmt.Sprintf("Error writing token to tempfile: %s", err)) return 1 } @@ -2158,7 +2158,7 @@ func (c *ServerCommand) storePidFile(pidPath string) error { } // Open the PID file - pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o644) + pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600) if err != nil { return fmt.Errorf("could not open pid file: %w", err) } diff --git a/physical/raft/raft.go b/physical/raft/raft.go index b356998d1092..3a302f689a04 100644 --- a/physical/raft/raft.go +++ b/physical/raft/raft.go @@ -274,7 +274,7 @@ func EnsurePath(path string, dir bool) error { if !dir { path = filepath.Dir(path) } - return os.MkdirAll(path, 0o755) + return os.MkdirAll(path, 0o700) } // NewRaftBackend constructs a RaftBackend using the given directory diff --git a/physical/raft/snapshot.go b/physical/raft/snapshot.go index 7e3f875b0f8e..cebcdb0a4a82 100644 --- a/physical/raft/snapshot.go +++ b/physical/raft/snapshot.go @@ -86,7 +86,7 @@ func NewBoltSnapshotStore(base string, logger log.Logger, fsm *FSM) (*BoltSnapsh // Ensure our path exists path := filepath.Join(base, snapPath) - if err := os.MkdirAll(path, 0o755); err != nil && !os.IsExist(err) { + if err := os.MkdirAll(path, 0o700); err != nil && !os.IsExist(err) { return nil, fmt.Errorf("snapshot path not accessible: %v", err) } @@ -324,7 +324,7 @@ func (s *BoltSnapshotSink) writeBoltDBFile() error { s.logger.Info("creating new snapshot", "path", path) // Make the directory - if err := os.MkdirAll(path, 0o755); err != nil { + if err := os.MkdirAll(path, 0o700); err != nil { s.logger.Error("failed to make snapshot directory", "error", err) return err }