fix: [sc-118372] /var/lib/embedded-cluster is not exec by other non-root user #1729
Conversation
|
This PR has been released (on staging) and is available for download with a embedded-cluster-smoke-test-staging-app license ID. Online Installer: Airgap Installer (may take a few minutes before the airgap bundle is built): Happy debugging! |
|
I've added more dir but only for dirs under |
|
I think we should modify these as well since they are code paths in the install workflow @emosbaugh / @sgalsaleh is there any harm in applying this change to all |
|
@banjoh no, that should be fine I think. |
There was a problem hiding this comment.
I ran an install using a binary built from this PR but the install failed. Here is my install attempt
root@evans-vm1:/home/evans# umask 0077
root@evans-vm1:/home/evans# ./embedded-cluster install
? Set the Admin Console password (minimum 6 characters): ******
? Confirm the Admin Console password: ******
✔ Host files materialized!
✔ Host preflights succeeded!
✔ Waiting for embedded-cluster node to be ready
unable to wait for node: unable to get status: exit status 1: Error: status: can't get "status" via "/run/k0s/status.sock": Get "http://localhost/status": dial unix /run/k0s/status.sock: connect: connection refusedI picked a number of paths where the permissions were not right such as
drwx------ root /var/lib/embedded-cluster/- All files in
/var/lib/embedded-cluster/k0s/binhave-r-xr-x--- root. They do not have global execute permission
Since the install failed very early on, there might have been some other paths not set right later on.
Changes needed
- I addition to the changes here, I think we should consider setting
0022umask before the install/join starts usingunix.Umask(0022). This will be a good safeguard to ensure we do not miss created files as well. This PR just addresses directories. - We need to test
joining a new node. - We need cover install and joining in e2e tests where the umask used is
0077. I choose this umask one since its what recommendations such as STIG/CIS document.
|
@banjoh did you resolve conflicts first before you built the binary? |
Hmm. No. Good catch. I'll do that then run another test. |
umask := 0022
oldUmask := unix.Umask(umask)
if oldUmask != umask {
logrus.Debugf("seting umask to %04o from %04o", umask, oldUmask)
}@nvanthao I added this change to |
evidently my test did not work |
banjoh
force-pushed
the
gerard/sc-118372/chmod
branch
from
d4d863b to
c9fe8c3
Compare
| @@ -68,6 +69,9 @@ func RootCmd(ctx context.Context, name string) *cobra.Command { | |||
| metrics.DisableMetrics() | |||
| } | |||
|
|
|||
| // set the umask to 022 so that we can create files/directories with 755 permissions | |||
| _ = syscall.Umask(0o022) | |||
There was a problem hiding this comment.
i assume having this in root isn't sufficient, can you please add a comment to the other ones explaining why?
also, are there no other commands that generate dirs and files other than install, join, and restore? what about materialize? isn't it used by LAM? should we set umask for materialize and LAM cli commands as well? operator cli?
There was a problem hiding this comment.
I'll add it to the various 'main' functions, and try to come up with a better comment for it
| @@ -171,6 +172,9 @@ func preRunInstall(cmd *cobra.Command, flags *InstallCmdFlags) error { | |||
| return fmt.Errorf("install command must be run as root") | |||
| } | |||
|
|
|||
| // set the umask to 022 so that we can create files/directories with 755 permissions | |||
| _ = syscall.Umask(0o022) | |||
There was a problem hiding this comment.
can you at the very least logrus.Debug this error?
There was a problem hiding this comment.
it doesn't return an error, it returns the previous umask value
| @@ -96,6 +97,9 @@ func preRunJoin(flags *JoinCmdFlags) error { | |||
|
|
|||
| flags.isAirgap = flags.airgapBundle != "" | |||
|
|
|||
| // set the umask to 022 so that we can create files/directories with 755 permissions | |||
| _ = syscall.Umask(0o022) | |||
| @@ -68,6 +69,9 @@ func RootCmd(ctx context.Context, name string) *cobra.Command { | |||
| metrics.DisableMetrics() | |||
| } | |||
|
|
|||
| // set the umask to 022 so that we can create files/directories with 755 permissions | |||
| _ = syscall.Umask(0o022) | |||
There was a problem hiding this comment.
The return value is not an error. Its the previous umask.
Story details: https://app.shortcut.com/replicated/story/118372
Problem
When creating directories using
os.MkdirAll, the final permissions are affected by the system'sumask. This behavior is undesirable because it can lead to permission issues when other processes attempt to access or modify files in our data directory (/var/lib/embedded-cluster). Specifically, directories may end up with restrictive permissions that prevent necessary access by other services or processes.Solution
To ensure consistent and correct directory permissions, this PR sets the
umaskto022before beginning execution of the install, restore, or join commands.Demo
Before: https://asciinema.org/a/6BIISglNrpFdvONP03d683q15
After: https://asciinema.org/a/GZCkeoOtPuW0uOPhCDP6EuXdc