for cisagov#171, make sure that the file containing the nginx/ldap bi…

…nd credentials are 600 instead of 644
mmguero-dev · Jun 30, 2021 · 02e8f53 · 02e8f53
1 parent cf9f7e9
commit 02e8f53
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/nginx/scripts/docker_entrypoint.sh b/nginx/scripts/docker_entrypoint.sh
@@ -177,6 +177,7 @@ EOF
     # rewrite modified copy of user ldap configuration to point to local end of tunnel instead of remote
     rm -f "$NGINX_RUNTIME_LDAP_CONF"
     touch "$NGINX_RUNTIME_LDAP_CONF"
+    chmod 600 "$NGINX_RUNTIME_LDAP_CONF"
     READ_LINE_NUM=0
     while IFS= read -r LINE; do
       READ_LINE_NUM=$((READ_LINE_NUM+1))
@@ -192,6 +193,7 @@ EOF
     # however, we do want to set SSL CA trust stuff if specified, so do that
     rm -f "$NGINX_RUNTIME_LDAP_CONF"
     touch "$NGINX_RUNTIME_LDAP_CONF"
+    chmod 600 "$NGINX_RUNTIME_LDAP_CONF"
     READ_LINE_NUM=0
     while IFS= read -r LINE; do
       READ_LINE_NUM=$((READ_LINE_NUM+1))

diff --git a/scripts/control.py b/scripts/control.py
@@ -433,11 +433,13 @@ def start():
 
   # make sure permissions are set correctly for the nginx worker processes
   for authFile in [os.path.join(MalcolmPath, os.path.join('nginx', 'htpasswd')),
-                   os.path.join(MalcolmPath, os.path.join('nginx', 'nginx_ldap.conf')),
                    os.path.join(MalcolmPath, os.path.join('htadmin', 'config.ini')),
                    os.path.join(MalcolmPath, os.path.join('htadmin', 'metadata'))]:
     # chmod 644 authFile
     os.chmod(authFile, stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
+  for authFile in [os.path.join(MalcolmPath, os.path.join('nginx', 'nginx_ldap.conf'))]:
+    # chmod 600 authFile
+    os.chmod(authFile, stat.S_IRUSR | stat.S_IWUSR)
 
   # make sure some directories exist before we start
   for path in [os.path.join(MalcolmPath, 'elasticsearch'),