Don't set any world privileges when setting permissions for rendered …

…jobs - Explicity set owner to root and group to vcap [#152664357](https://www.pivotaltracker.com/story/show/152664357) (cherry picked from commit 6470144) Signed-off-by: Tom Viehman <[email protected]>
SUSE · Nov 13, 2017 · bd4e5e7 · bd4e5e7
1 parent 91acda4
commit bd4e5e7
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 11 deletions.
diff --git a/agent/applier/jobs/rendered_job_applier.go b/agent/applier/jobs/rendered_job_applier.go
@@ -126,9 +126,11 @@ func (s *renderedJobApplier) downloadAndInstall(job models.Job, jobBundle boshbc
 		if err != nil {
 			return err
 		} else if info.IsDir() || strings.HasPrefix(path, binPath) {
-			return s.fs.Chmod(path, os.FileMode(0755))
+			s.fs.Chown(path, "root:vcap")
+			return s.fs.Chmod(path, os.FileMode(0750))
 		} else {
-			return s.fs.Chmod(path, os.FileMode(0644))
+			s.fs.Chown(path, "root:vcap")
+			return s.fs.Chmod(path, os.FileMode(0640))
 		}
 	})
 	if err != nil {

diff --git a/agent/applier/jobs/rendered_job_applier_test.go b/agent/applier/jobs/rendered_job_applier_test.go
@@ -6,6 +6,8 @@ import (
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 
+	"io"
+
 	boshbc "github.com/cloudfoundry/bosh-agent/agent/applier/bundlecollection"
 	fakebc "github.com/cloudfoundry/bosh-agent/agent/applier/bundlecollection/fakes"
 	. "github.com/cloudfoundry/bosh-agent/agent/applier/jobs"
@@ -18,7 +20,6 @@ import (
 	boshlog "github.com/cloudfoundry/bosh-utils/logger"
 	fakesys "github.com/cloudfoundry/bosh-utils/system/fakes"
 	boshuuid "github.com/cloudfoundry/bosh-utils/uuid"
-	"io"
 )
 
 type unsupportedAlgo struct{}
@@ -245,8 +246,8 @@ func init() {
 					err := act()
 					Expect(err).ToNot(HaveOccurred())
 
-					Expect(int(binDirStats.FileMode)).To(Equal(0755))
-					Expect(int(configDirStats.FileMode)).To(Equal(0755))
+					Expect(int(binDirStats.FileMode)).To(Equal(0750))
+					Expect(int(configDirStats.FileMode)).To(Equal(0750))
 				})
 
 				It("sets executable bit for files in bin", func() {
@@ -273,14 +274,14 @@ func init() {
 					Expect(err).ToNot(HaveOccurred())
 
 					// bin files are executable
-					Expect(int(binTest1Stats.FileMode)).To(Equal(0755))
-					Expect(int(binTest2Stats.FileMode)).To(Equal(0755))
+					Expect(int(binTest1Stats.FileMode)).To(Equal(0750))
+					Expect(int(binTest2Stats.FileMode)).To(Equal(0750))
 
 					// non-bin files are not made executable
-					Expect(int(configTestStats.FileMode)).ToNot(Equal(0755))
+					Expect(int(configTestStats.FileMode)).ToNot(Equal(0750))
 				})
 
-				It("sets 644 permissions for files in config", func() {
+				It("sets 640 permissions for files in config", func() {
 					compressor.DecompressFileToDirCallBack = func() {
 						fs.WriteFile("/fake-tmp-dir/fake-path-in-archive/config/config1", []byte{})
 						fs.WriteFile("/fake-tmp-dir/fake-path-in-archive/config/config2", []byte{})
@@ -302,8 +303,38 @@ func init() {
 					Expect(err).ToNot(HaveOccurred())
 
 					// permission for config files should be readable by all
-					Expect(int(config1Stats.FileMode)).To(Equal(0644))
-					Expect(int(config2Stats.FileMode)).To(Equal(0644))
+					Expect(int(config1Stats.FileMode)).To(Equal(0640))
+					Expect(int(config2Stats.FileMode)).To(Equal(0640))
+				})
+
+				It("sets root:vcap ownership for all files in the tree", func() {
+					compressor.DecompressFileToDirCallBack = func() {
+						fs.WriteFile("/fake-tmp-dir/fake-path-in-archive/bin/test", []byte{})
+						fs.WriteFile("/fake-tmp-dir/fake-path-in-archive/config/test", []byte{})
+						fs.WriteFile("/fake-tmp-dir/fake-path-in-archive/monit", []byte{})
+						fs.WriteFile("/fake-tmp-dir/fake-path-in-archive/templates/test", []byte{})
+					}
+
+					var binTestStats, configTestStats, monitStats, templateTestStats *fakesys.FakeFileStats
+
+					bundle.InstallCallBack = func() {
+						binTestStats = fs.GetFileTestStat("/fake-tmp-dir/fake-path-in-archive/bin/test")
+						configTestStats = fs.GetFileTestStat("/fake-tmp-dir/fake-path-in-archive/config/test")
+						monitStats = fs.GetFileTestStat("/fake-tmp-dir/fake-path-in-archive/monit")
+						templateTestStats = fs.GetFileTestStat("/fake-tmp-dir/fake-path-in-archive/templates/test")
+					}
+
+					err := act()
+					Expect(err).ToNot(HaveOccurred())
+
+					Expect(binTestStats.Username).To(Equal("root"))
+					Expect(binTestStats.Groupname).To(Equal("vcap"))
+					Expect(monitStats.Username).To(Equal("root"))
+					Expect(monitStats.Groupname).To(Equal("vcap"))
+					Expect(templateTestStats.Username).To(Equal("root"))
+					Expect(templateTestStats.Groupname).To(Equal("vcap"))
+					Expect(configTestStats.Username).To(Equal("root"))
+					Expect(configTestStats.Groupname).To(Equal("vcap"))
 				})
 			}