Secure host file permissions

* added in missing recursive flag to the chmod command used to remove
extraneous permissions from CURATED_DIRS
* added commands to change permissions for manifests and configurations
that are copied to the host

Change-Id: I174db09061c3162db11dd976a55132f5fad7a80d
This commit is contained in:
Michael Beaver 2018-10-15 12:50:53 -05:00
parent 9f2e6b89e1
commit 8b45a36419
6 changed files with 7 additions and 1 deletions

View File

@ -21,6 +21,7 @@ compare_copy_files() {
if [ ! -e /host{{ .dest }} ] || ! cmp -s {{ .source }} /host{{ .dest }}; then
mkdir -p $(dirname /host{{ .dest }})
cp {{ .source }} /host{{ .dest }}
chmod go-rwx /host{{ .dest }}
fi
{{end}}
}

View File

@ -21,6 +21,7 @@ compare_copy_files() {
if [ ! -e /host{{ .dest }} ] || ! cmp -s {{ .source }} /host{{ .dest }}; then
mkdir -p $(dirname /host{{ .dest }})
cp {{ .source }} /host{{ .dest }}
chmod go-rwx /host{{ .dest }}
fi
{{end}}
}

View File

@ -44,6 +44,7 @@ function sync_configuration {
ETCD_INITIAL_CLUSTER_STATE=existing
create_manifest "$ETCD_INITIAL_CLUSTER" "$ETCD_INITIAL_CLUSTER_STATE" "$TEMP_MANIFEST"
sync_file "${TEMP_MANIFEST}" "${MANIFEST_PATH}"
chmod go-rwx "${MANIFEST_PATH}"
}
firstrun=true
while true; do

View File

@ -24,6 +24,7 @@ compare_copy_files() {
if [ ! -e /host{{ .dest }} ] || ! cmp -s {{ .source }} /host{{ .dest }}; then
mkdir -p $(dirname /host{{ .dest }})
cp {{ .source }} /host{{ .dest }}
chmod go-rwx /host{{ .dest }}
fi
{{- end }}
}
@ -104,6 +105,7 @@ install_config() {
else
echo HAProxy config file unchanged.
fi
chmod -R go-rwx $(dirname "$HAPROXY_CONF")
fi
}

View File

@ -22,6 +22,7 @@ compare_copy_files() {
if [ ! -e /host{{ .dest }} ] || ! cmp -s {{ .source }} /host{{ .dest }}; then
mkdir -p $(dirname /host{{ .dest }})
cp {{ .source }} /host{{ .dest }}
chmod go-rwx /host{{ .dest }}
fi
{{- end }}
}

View File

@ -23,7 +23,7 @@ echo "{{ encrypted_tarball | b64enc }}" | base64 -d | {{ decrypt_command }} | ta
set -x
for DIR in "${CURATED_DIRS[@]}"; do
chmod go-rwx "${DIR}"
chmod -R go-rwx "${DIR}"
done
# Adding apt repositories