From 2a36405339c87b16ed6c76e91ad5b76638fbdb0c Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Tue, 6 Jul 2021 13:07:30 -0400 Subject: [PATCH] install: restrict access permissions on /boot/ignition{,/config.ign} The Ignition config may contain secrets. Don't expose it, or anything in its parent directory, to unprivileged processes. https://github.com/coreos/fedora-coreos-tracker/issues/889 --- src/install.rs | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/src/install.rs b/src/install.rs index 20d1f416c..364072327 100644 --- a/src/install.rs +++ b/src/install.rs @@ -16,9 +16,11 @@ use anyhow::{bail, Context, Result}; use lazy_static::lazy_static; use nix::mount; use regex::Regex; -use std::fs::{copy as fscopy, create_dir_all, read_dir, File, OpenOptions}; +use std::fs::{ + copy as fscopy, create_dir_all, read_dir, set_permissions, File, OpenOptions, Permissions, +}; use std::io::{copy, Read, Seek, SeekFrom, Write}; -use std::os::unix::fs::FileTypeExt; +use std::os::unix::fs::{FileTypeExt, PermissionsExt}; use std::path::{Path, PathBuf}; use crate::blockdev::*; @@ -248,7 +250,21 @@ fn write_ignition( // make parent directory let mut config_dest = mountpoint.to_path_buf(); config_dest.push("ignition"); - create_dir_all(&config_dest).context("creating Ignition config directory")?; + if !config_dest.is_dir() { + create_dir_all(&config_dest).with_context(|| { + format!( + "creating Ignition config directory {}", + config_dest.display() + ) + })?; + // Ignition data may contain secrets; restrict to root + set_permissions(&config_dest, Permissions::from_mode(0o700)).with_context(|| { + format!( + "setting file mode for Ignition directory {}", + config_dest.display() + ) + })?; + } // do the copy config_dest.push("config.ign"); @@ -262,6 +278,13 @@ fn write_ignition( config_dest.display() ) })?; + // Ignition config may contain secrets; restrict to root + set_permissions(&config_dest, Permissions::from_mode(0o600)).with_context(|| { + format!( + "setting file mode for destination Ignition config {}", + config_dest.display() + ) + })?; copy(&mut config_in, &mut config_out).context("writing Ignition config")?; Ok(())