From 8b45a3641969e3b5658dde9fc41923a525db539b Mon Sep 17 00:00:00 2001 From: Michael Beaver Date: Mon, 15 Oct 2018 12:50:53 -0500 Subject: [PATCH] Secure host file permissions * added in missing recursive flag to the chmod command used to remove extraneous permissions from CURATED_DIRS * added commands to change permissions for manifests and configurations that are copied to the host Change-Id: I174db09061c3162db11dd976a55132f5fad7a80d --- charts/apiserver/templates/bin/_anchor.tpl | 1 + charts/controller_manager/templates/bin/_anchor.tpl | 1 + charts/etcd/templates/bin/_etcdctl_anchor.tpl | 1 + charts/haproxy/templates/bin/_anchor.tpl | 2 ++ charts/scheduler/templates/bin/_anchor.tpl | 1 + promenade/templates/include/up.sh | 2 +- 6 files changed, 7 insertions(+), 1 deletion(-) diff --git a/charts/apiserver/templates/bin/_anchor.tpl b/charts/apiserver/templates/bin/_anchor.tpl index 6af65c05..c311ffa0 100644 --- a/charts/apiserver/templates/bin/_anchor.tpl +++ b/charts/apiserver/templates/bin/_anchor.tpl @@ -21,6 +21,7 @@ compare_copy_files() { if [ ! -e /host{{ .dest }} ] || ! cmp -s {{ .source }} /host{{ .dest }}; then mkdir -p $(dirname /host{{ .dest }}) cp {{ .source }} /host{{ .dest }} + chmod go-rwx /host{{ .dest }} fi {{end}} } diff --git a/charts/controller_manager/templates/bin/_anchor.tpl b/charts/controller_manager/templates/bin/_anchor.tpl index 6af65c05..c311ffa0 100644 --- a/charts/controller_manager/templates/bin/_anchor.tpl +++ b/charts/controller_manager/templates/bin/_anchor.tpl @@ -21,6 +21,7 @@ compare_copy_files() { if [ ! -e /host{{ .dest }} ] || ! cmp -s {{ .source }} /host{{ .dest }}; then mkdir -p $(dirname /host{{ .dest }}) cp {{ .source }} /host{{ .dest }} + chmod go-rwx /host{{ .dest }} fi {{end}} } diff --git a/charts/etcd/templates/bin/_etcdctl_anchor.tpl b/charts/etcd/templates/bin/_etcdctl_anchor.tpl index c17fca3e..6f458d75 100644 --- a/charts/etcd/templates/bin/_etcdctl_anchor.tpl +++ b/charts/etcd/templates/bin/_etcdctl_anchor.tpl @@ -44,6 +44,7 @@ function sync_configuration { ETCD_INITIAL_CLUSTER_STATE=existing create_manifest "$ETCD_INITIAL_CLUSTER" "$ETCD_INITIAL_CLUSTER_STATE" "$TEMP_MANIFEST" sync_file "${TEMP_MANIFEST}" "${MANIFEST_PATH}" + chmod go-rwx "${MANIFEST_PATH}" } firstrun=true while true; do diff --git a/charts/haproxy/templates/bin/_anchor.tpl b/charts/haproxy/templates/bin/_anchor.tpl index d84ca166..35d395fe 100644 --- a/charts/haproxy/templates/bin/_anchor.tpl +++ b/charts/haproxy/templates/bin/_anchor.tpl @@ -24,6 +24,7 @@ compare_copy_files() { if [ ! -e /host{{ .dest }} ] || ! cmp -s {{ .source }} /host{{ .dest }}; then mkdir -p $(dirname /host{{ .dest }}) cp {{ .source }} /host{{ .dest }} + chmod go-rwx /host{{ .dest }} fi {{- end }} } @@ -104,6 +105,7 @@ install_config() { else echo HAProxy config file unchanged. fi + chmod -R go-rwx $(dirname "$HAPROXY_CONF") fi } diff --git a/charts/scheduler/templates/bin/_anchor.tpl b/charts/scheduler/templates/bin/_anchor.tpl index 90f5def2..1ae2244c 100644 --- a/charts/scheduler/templates/bin/_anchor.tpl +++ b/charts/scheduler/templates/bin/_anchor.tpl @@ -22,6 +22,7 @@ compare_copy_files() { if [ ! -e /host{{ .dest }} ] || ! cmp -s {{ .source }} /host{{ .dest }}; then mkdir -p $(dirname /host{{ .dest }}) cp {{ .source }} /host{{ .dest }} + chmod go-rwx /host{{ .dest }} fi {{- end }} } diff --git a/promenade/templates/include/up.sh b/promenade/templates/include/up.sh index 1c47fa29..b0eb2295 100644 --- a/promenade/templates/include/up.sh +++ b/promenade/templates/include/up.sh @@ -23,7 +23,7 @@ echo "{{ encrypted_tarball | b64enc }}" | base64 -d | {{ decrypt_command }} | ta set -x for DIR in "${CURATED_DIRS[@]}"; do - chmod go-rwx "${DIR}" + chmod -R go-rwx "${DIR}" done # Adding apt repositories