Fix master pull socket permissions

saltstack · Aug 13, 2024 · 9ee1e59 · 9ee1e59
1 parent bd89384
commit 9ee1e59
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 5 deletions.
diff --git a/salt/transport/base.py b/salt/transport/base.py
@@ -233,6 +233,7 @@ def ipc_publish_server(node, opts):
             kwargs.update(
                 pub_path=os.path.join(opts["sock_dir"], "master_event_pub.ipc"),
                 pull_path=os.path.join(opts["sock_dir"], "master_event_pull.ipc"),
+                pub_path_perms=0o660,
             )
         else:
             id_hash = _minion_hash(

diff --git a/salt/transport/tcp.py b/salt/transport/tcp.py
@@ -10,6 +10,7 @@
 import errno
 import logging
 import multiprocessing
+import os
 import queue
 import select
 import socket
@@ -1327,6 +1328,8 @@ def __init__(
         pull_host=None,
         pull_port=None,
         pull_path=None,
+        pull_path_perms=0o600,
+        pub_path_perms=0o600,
         ssl=None,
     ):
         self.opts = opts
@@ -1337,6 +1340,8 @@ def __init__(
         self.pull_host = pull_host
         self.pull_port = pull_port
         self.pull_path = pull_path
+        self.pull_path_prems = pull_path_perms
+        self.pub_path_prems = pub_path_perms
         self.ssl = ssl
 
     @property
@@ -1406,7 +1411,9 @@ async def publisher(
             log.debug(
                 "Publish server binding pub to %s ssl=%r", self.pub_path, self.ssl
             )
-            sock = tornado.netutil.bind_unix_socket(self.pub_path)
+            with salt.utils.files.set_umask(0o177):
+                sock = tornado.netutil.bind_unix_socket(self.pub_path)
+                os.chmod(self.pub_path, self.pub_path_perms)
         else:
             log.debug(
                 "Publish server binding pub to %s:%s ssl=%r",
@@ -1446,6 +1453,7 @@ async def publisher(
         # Securely create socket
         with salt.utils.files.set_umask(0o177):
             self.pull_sock.start()
+            os.chmod(self.pull_path, self.pull_path_perms)
 
     def pre_fork(self, process_manager):
         """

diff --git a/salt/transport/ws.py b/salt/transport/ws.py
@@ -1,6 +1,7 @@
 import asyncio
 import logging
 import multiprocessing
+import os
 import socket
 import time
 import warnings
@@ -259,6 +260,8 @@ def __init__(
         pull_host=None,
         pull_port=None,
         pull_path=None,
+        pull_path_perms=0o600,
+        pub_path_perms=0o600,
         ssl=None,
     ):
         self.opts = opts
@@ -268,6 +271,8 @@ def __init__(
         self.pull_host = pull_host
         self.pull_port = pull_port
         self.pull_path = pull_path
+        self.pull_path_perms = pull_path_perms
+        self.pub_path_perms = pub_path_perms
         self.ssl = ssl
         self.clients = set()
         self._run = None
@@ -291,6 +296,8 @@ def __getstate__(self):
             "pull_host": self.pull_host,
             "pull_port": self.pull_port,
             "pull_path": self.pull_path,
+            "pull_path_perms": self.pull_path_perms,
+            "pub_path_perms": self.pub_path_perms,
         }
 
     def publish_daemon(
@@ -338,8 +345,10 @@ async def publisher(
             server = aiohttp.web.Server(self.handle_request)
             runner = aiohttp.web.ServerRunner(server)
             await runner.setup()
-            site = aiohttp.web.UnixSite(runner, self.pub_path, ssl_context=ctx)
-            log.info("Publisher binding to socket %s", self.pub_path)
+            with salt.utils.files.set_umask(0o177):
+                log.info("Publisher binding to socket %s", self.pub_path)
+                site = aiohttp.web.UnixSite(runner, self.pub_path, ssl_context=ctx)
+                os.chmod(self.pub_path, self.pub_path_perms)
         else:
             sock = _get_socket(self.opts)
             sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
@@ -360,6 +369,7 @@ async def publisher(
                 self.puller = await asyncio.start_unix_server(
                     self.pull_handler, self.pull_path
                 )
+                os.chmod(self.pull_path, self.pull_path_perms)
         else:
             self.puller = await asyncio.start_server(
                 self.pull_handler, self.pull_host, self.pull_port

diff --git a/salt/transport/zeromq.py b/salt/transport/zeromq.py
@@ -852,6 +852,8 @@ def __init__(
         pull_host=None,
         pull_port=None,
         pull_path=None,
+        pull_path_perms=0o600,
+        pub_path_perms=0o600,
     ):
         self.opts = opts
         self.pub_host = pub_host
@@ -864,6 +866,8 @@ def __init__(
         self.pull_host = pull_host
         self.pull_port = pull_port
         self.pull_path = pull_path
+        self.pub_path_perms = pub_path_perms
+        self.pull_path_perms = pull_path_perms
         if pull_path:
             self.pull_uri = f"ipc://{pull_path}"
         else:
@@ -930,14 +934,14 @@ def _get_sockets(self, context, ioloop):
             if self.pub_path:
                 os.chmod(  # nosec
                     self.pub_path,
-                    0o600,
+                    self.pub_path_perms,
                 )
             log.info("Starting the Salt Puller on %s", self.pull_uri)
             pull_sock.bind(self.pull_uri)
             if self.pull_path:
                 os.chmod(  # nosec
                     self.pull_path,
-                    0o600,
+                    self.pull_path_perms,
                 )
         return pull_sock, pub_sock, monitor