Skip to content

Commit

Permalink
enforced stricter file permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
@StephenButtolph
StephenButtolph committed Mar 23, 2021
1 parent b29581c commit aa63669
Show file tree
Hide file tree
Showing 10 changed files with 101 additions and 13 deletions.
11 changes: 11 additions & 0 deletions api/admin/performance.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ import (
"os"
"runtime"
"runtime/pprof"

"github.com/ava-labs/avalanchego/utils/perms"
)

const (
Expand Down Expand Up @@ -51,6 +53,9 @@ func (p *Performance) StartCPUProfiler() error {
if err != nil {
return err
}
if err := file.Chmod(perms.ReadWrite); err != nil {
return err
}
if err := pprof.StartCPUProfile(file); err != nil {
_ = file.Close() // Return the original error
return err
Expand Down Expand Up @@ -79,6 +84,9 @@ func (p *Performance) MemoryProfile() error {
if err != nil {
return err
}
if err := file.Chmod(perms.ReadWrite); err != nil {
return err
}
runtime.GC() // get up-to-date statistics
if err := pprof.WriteHeapProfile(file); err != nil {
_ = file.Close() // Return the original error
Expand All @@ -93,6 +101,9 @@ func (p *Performance) LockProfile() error {
if err != nil {
return err
}
if err := file.Chmod(perms.ReadWrite); err != nil {
return err
}

profile := pprof.Lookup("mutex")
if err := profile.WriteTo(file, 1); err != nil {
Expand Down
4 changes: 2 additions & 2 deletions api/admin/service.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ package admin

import (
"errors"
"io/ioutil"
"net/http"

"github.com/gorilla/rpc/v2"
Expand All @@ -15,6 +14,7 @@ import (
"github.com/ava-labs/avalanchego/ids"
"github.com/ava-labs/avalanchego/snow/engine/common"
"github.com/ava-labs/avalanchego/utils/logging"
"github.com/ava-labs/avalanchego/utils/perms"

cjson "github.com/ava-labs/avalanchego/utils/json"
)
Expand Down Expand Up @@ -159,5 +159,5 @@ func (service *Admin) Stacktrace(_ *http.Request, _ *struct{}, reply *api.Succes

reply.Success = true
stacktrace := []byte(logging.Stacktrace{Global: true}.String())
return ioutil.WriteFile(stacktraceFile, stacktrace, 0600)
return perms.WriteFile(stacktraceFile, stacktrace, perms.ReadWrite)
}
4 changes: 2 additions & 2 deletions genesis/genesis_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ package genesis

import (
"fmt"
"io/ioutil"
"path"
"testing"

Expand All @@ -14,6 +13,7 @@ import (
"github.com/ava-labs/avalanchego/ids"
"github.com/ava-labs/avalanchego/utils/constants"
"github.com/ava-labs/avalanchego/utils/hashing"
"github.com/ava-labs/avalanchego/utils/perms"
"github.com/ava-labs/avalanchego/vms/avm"
"github.com/ava-labs/avalanchego/vms/evm"
"github.com/ava-labs/avalanchego/vms/platformvm"
Expand Down Expand Up @@ -307,7 +307,7 @@ func TestGenesis(t *testing.T) {
var customFile string
if len(test.customConfig) > 0 {
customFile = path.Join(t.TempDir(), "config.json")
assert.NoError(ioutil.WriteFile(customFile, []byte(test.customConfig), 0600))
assert.NoError(perms.WriteFile(customFile, []byte(test.customConfig), perms.ReadWrite))
}

if len(test.missingFilepath) > 0 {
Expand Down
7 changes: 7 additions & 0 deletions main/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (
"github.com/ava-labs/avalanchego/utils/crypto"
"github.com/ava-labs/avalanchego/utils/dynamicip"
"github.com/ava-labs/avalanchego/utils/logging"
"github.com/ava-labs/avalanchego/utils/perms"
)

const (
Expand All @@ -41,6 +42,12 @@ func main() {
return
}

// Set the data directory permissions to be read write.
if err := perms.ChmodR(defaultDataDir, true, perms.ReadWriteExecute); err != nil {
fmt.Printf("failed to restrict the permissions of the data directory with error %s\n", err)
return
}

logFactory := logging.NewFactory(Config.LoggingConfig)
defer logFactory.Close()

Expand Down
9 changes: 5 additions & 4 deletions main/params.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,14 +48,15 @@ var (

homeDir = os.ExpandEnv("$HOME")
prefixedAppName = fmt.Sprintf(".%s", constants.AppName)
defaultDbDir = filepath.Join(homeDir, prefixedAppName, "db")
defaultStakingKeyPath = filepath.Join(homeDir, prefixedAppName, "staking", "staker.key")
defaultStakingCertPath = filepath.Join(homeDir, prefixedAppName, "staking", "staker.crt")
defaultDataDir = filepath.Join(homeDir, prefixedAppName)
defaultDbDir = filepath.Join(defaultDataDir, "db")
defaultStakingKeyPath = filepath.Join(defaultDataDir, "staking", "staker.key")
defaultStakingCertPath = filepath.Join(defaultDataDir, "staking", "staker.crt")
defaultPluginDirs = []string{
filepath.Join(".", "build", "plugins"),
filepath.Join(".", "plugins"),
filepath.Join("/", "usr", "local", "lib", constants.AppName),
filepath.Join(homeDir, prefixedAppName, "plugins"),
filepath.Join(defaultDataDir, "plugins"),
}
// GitCommit should be optionally set at compile time.
GitCommit string
Expand Down
11 changes: 7 additions & 4 deletions staking/gen_staker_key.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ import (
"os"
"path/filepath"
"time"

"github.com/ava-labs/avalanchego/utils/perms"
)

// GenerateStakingKeyCert generates a self-signed TLS key/cert pair to use in staking
Expand Down Expand Up @@ -41,9 +43,10 @@ func GenerateStakingKeyCert(keyPath, certPath string) error {
}

// Ensure directory where key/cert will live exist
if err := os.MkdirAll(filepath.Dir(certPath), 0700); err != nil {
if err := os.MkdirAll(filepath.Dir(certPath), perms.ReadWriteExecute); err != nil {
return fmt.Errorf("couldn't create path for cert: %w", err)
} else if err := os.MkdirAll(filepath.Dir(keyPath), 0700); err != nil {
}
if err := os.MkdirAll(filepath.Dir(keyPath), perms.ReadWriteExecute); err != nil {
return fmt.Errorf("couldn't create path for key: %w", err)
}

Expand All @@ -58,7 +61,7 @@ func GenerateStakingKeyCert(keyPath, certPath string) error {
if err := certFile.Close(); err != nil {
return fmt.Errorf("couldn't close cert file: %w", err)
}
if err := os.Chmod(certPath, 0400); err != nil { // Make cert read-only
if err := os.Chmod(certPath, perms.ReadOnly); err != nil { // Make cert read-only
return fmt.Errorf("couldn't change permissions on cert: %w", err)
}

Expand All @@ -77,7 +80,7 @@ func GenerateStakingKeyCert(keyPath, certPath string) error {
if err := keyOut.Close(); err != nil {
return fmt.Errorf("couldn't close key file: %w", err)
}
if err := os.Chmod(keyPath, 0400); err != nil { // Make key read-only
if err := os.Chmod(keyPath, perms.ReadOnly); err != nil { // Make key read-only
return fmt.Errorf("couldn't change permissions on key")
}

Expand Down
6 changes: 5 additions & 1 deletion utils/logging/log.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import (
"time"

"github.com/ava-labs/avalanchego/utils/constants"
"github.com/ava-labs/avalanchego/utils/perms"
)

var (
Expand All @@ -38,7 +39,7 @@ type Log struct {

// New ...
func New(config Config) (*Log, error) {
if err := os.MkdirAll(config.Directory, os.ModePerm); err != nil {
if err := os.MkdirAll(config.Directory, perms.ReadWriteExecute); err != nil {
return nil, err
}
l := &Log{
Expand Down Expand Up @@ -375,6 +376,9 @@ func (fw *fileWriter) create(fileIndex int) (*bufio.Writer, *os.File, error) {
if err != nil {
return nil, nil, err
}
if err := file.Chmod(perms.ReadWrite); err != nil {
return nil, nil, err
}
writer := bufio.NewWriter(file)
return writer, file, nil
}
Expand Down
20 changes: 20 additions & 0 deletions utils/perms/chmod.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
// (c) 2019-2020, Ava Labs, Inc. All rights reserved.
// See the file LICENSE for licensing terms.

package perms

import (
"os"
"path/filepath"
)

// ChmodR sets the permissions of all directories and optionally files to [perm]
// permissions.
func ChmodR(dir string, dirOnly bool, perm os.FileMode) error {
return filepath.Walk(dir, func(name string, info os.FileInfo, err error) error {
if err != nil || (dirOnly && !info.IsDir()) {
return err
}
return os.Chmod(name, perm)
})
}
10 changes: 10 additions & 0 deletions utils/perms/perms.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
// (c) 2019-2020, Ava Labs, Inc. All rights reserved.
// See the file LICENSE for licensing terms.

package perms

const (
ReadOnly = 0400
ReadWrite = 0600
ReadWriteExecute = 0700
)
32 changes: 32 additions & 0 deletions utils/perms/write_file.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
// (c) 2019-2020, Ava Labs, Inc. All rights reserved.
// See the file LICENSE for licensing terms.

package perms

import (
"errors"
"io/ioutil"
"os"
)

// WriteFile writes [data] to [filename] and ensures that [filename] has [perm]
// permissions.
func WriteFile(filename string, data []byte, perm os.FileMode) error {
info, err := os.Stat(filename)
if errors.Is(err, os.ErrNotExist) {
// The file doesn't exist, so try to write it.
return ioutil.WriteFile(filename, data, perm)
}
if err != nil {
return err
}
if info.Mode() != perm {
// The file currently has the wrong permissions, so update them.
if err := os.Chmod(filename, perm); err != nil {
return err
}
}
// The file has the right permissions, so truncate any data and write the
// file.
return ioutil.WriteFile(filename, data, perm)
}

0 comments on commit aa63669

Please sign in to comment.