Secure host file permissions

* added in missing recursive flag to the chmod command used to remove
extraneous permissions from CURATED_DIRS
* added commands to change permissions for manifests and configurations
that are copied to the host

Change-Id: I174db09061c3162db11dd976a55132f5fad7a80d

6 files changed, 7 insertions, 1 deletions

diff --git a/charts/apiserver/templates/bin/_anchor.tpl b/charts/apiserver/templates/bin/_anchor.tpl
index 6af65c0..c311ffa 100644
--- a/charts/apiserver/templates/bin/_anchor.tpl
+++ b/charts/apiserver/templates/bin/_anchor.tpl
@@ -21,6 +21,7 @@ compare_copy_files() {
     if [ ! -e /host{{ .dest }} ] || ! cmp -s {{ .source }} /host{{ .dest }}; then
         mkdir -p $(dirname /host{{ .dest }})
         cp {{ .source }} /host{{ .dest }}
+        chmod go-rwx /host{{ .dest }}
     fi
     {{end}}
 }
diff --git a/charts/controller_manager/templates/bin/_anchor.tpl b/charts/controller_manager/templates/bin/_anchor.tpl
index 6af65c0..c311ffa 100644
--- a/charts/controller_manager/templates/bin/_anchor.tpl
+++ b/charts/controller_manager/templates/bin/_anchor.tpl
@@ -21,6 +21,7 @@ compare_copy_files() {
     if [ ! -e /host{{ .dest }} ] || ! cmp -s {{ .source }} /host{{ .dest }}; then
         mkdir -p $(dirname /host{{ .dest }})
         cp {{ .source }} /host{{ .dest }}
+        chmod go-rwx /host{{ .dest }}
     fi
     {{end}}
 }
diff --git a/charts/etcd/templates/bin/_etcdctl_anchor.tpl b/charts/etcd/templates/bin/_etcdctl_anchor.tpl
index c17fca3..6f458d7 100644
--- a/charts/etcd/templates/bin/_etcdctl_anchor.tpl
+++ b/charts/etcd/templates/bin/_etcdctl_anchor.tpl
@@ -44,6 +44,7 @@ function sync_configuration {
     ETCD_INITIAL_CLUSTER_STATE=existing
     create_manifest "$ETCD_INITIAL_CLUSTER" "$ETCD_INITIAL_CLUSTER_STATE" "$TEMP_MANIFEST"
     sync_file "${TEMP_MANIFEST}" "${MANIFEST_PATH}"
+    chmod go-rwx "${MANIFEST_PATH}"
 }
 firstrun=true
 while true; do
diff --git a/charts/haproxy/templates/bin/_anchor.tpl b/charts/haproxy/templates/bin/_anchor.tpl
index d84ca16..35d395f 100644
--- a/charts/haproxy/templates/bin/_anchor.tpl
+++ b/charts/haproxy/templates/bin/_anchor.tpl
@@ -24,6 +24,7 @@ compare_copy_files() {
     if [ ! -e /host{{ .dest }} ] || ! cmp -s {{ .source }} /host{{ .dest }}; then
         mkdir -p $(dirname /host{{ .dest }})
         cp {{ .source }} /host{{ .dest }}
+        chmod go-rwx /host{{ .dest }}
     fi
     {{- end }}
 }
@@ -104,6 +105,7 @@ install_config() {
         else
             echo HAProxy config file unchanged.
         fi
+        chmod -R go-rwx $(dirname "$HAPROXY_CONF")
     fi
 }
 
diff --git a/charts/scheduler/templates/bin/_anchor.tpl b/charts/scheduler/templates/bin/_anchor.tpl
index 90f5def..1ae2244 100644
--- a/charts/scheduler/templates/bin/_anchor.tpl
+++ b/charts/scheduler/templates/bin/_anchor.tpl
@@ -22,6 +22,7 @@ compare_copy_files() {
     if [ ! -e /host{{ .dest }} ] || ! cmp -s {{ .source }} /host{{ .dest }}; then
         mkdir -p $(dirname /host{{ .dest }})
         cp {{ .source }} /host{{ .dest }}
+        chmod go-rwx /host{{ .dest }}
     fi
     {{- end }}
 }
diff --git a/promenade/templates/include/up.sh b/promenade/templates/include/up.sh
index 1c47fa2..b0eb229 100644
--- a/promenade/templates/include/up.sh
+++ b/promenade/templates/include/up.sh
@@ -23,7 +23,7 @@ echo "{{ encrypted_tarball | b64enc }}" | base64 -d | {{ decrypt_command }} | ta
 set -x
 
 for DIR in "${CURATED_DIRS[@]}"; do
-    chmod go-rwx "${DIR}"
+    chmod -R go-rwx "${DIR}"
 done
 
 # Adding apt repositories