Browse Source

Secure host file permissions

* added in missing recursive flag to the chmod command used to remove
extraneous permissions from CURATED_DIRS
* added commands to change permissions for manifests and configurations
that are copied to the host

Change-Id: I174db09061c3162db11dd976a55132f5fad7a80d
Michael Beaver 6 months ago
parent
commit
8b45a36419

+ 1
- 0
charts/apiserver/templates/bin/_anchor.tpl View File

@@ -21,6 +21,7 @@ compare_copy_files() {
21 21
     if [ ! -e /host{{ .dest }} ] || ! cmp -s {{ .source }} /host{{ .dest }}; then
22 22
         mkdir -p $(dirname /host{{ .dest }})
23 23
         cp {{ .source }} /host{{ .dest }}
24
+        chmod go-rwx /host{{ .dest }}
24 25
     fi
25 26
     {{end}}
26 27
 }

+ 1
- 0
charts/controller_manager/templates/bin/_anchor.tpl View File

@@ -21,6 +21,7 @@ compare_copy_files() {
21 21
     if [ ! -e /host{{ .dest }} ] || ! cmp -s {{ .source }} /host{{ .dest }}; then
22 22
         mkdir -p $(dirname /host{{ .dest }})
23 23
         cp {{ .source }} /host{{ .dest }}
24
+        chmod go-rwx /host{{ .dest }}
24 25
     fi
25 26
     {{end}}
26 27
 }

+ 1
- 0
charts/etcd/templates/bin/_etcdctl_anchor.tpl View File

@@ -44,6 +44,7 @@ function sync_configuration {
44 44
     ETCD_INITIAL_CLUSTER_STATE=existing
45 45
     create_manifest "$ETCD_INITIAL_CLUSTER" "$ETCD_INITIAL_CLUSTER_STATE" "$TEMP_MANIFEST"
46 46
     sync_file "${TEMP_MANIFEST}" "${MANIFEST_PATH}"
47
+    chmod go-rwx "${MANIFEST_PATH}"
47 48
 }
48 49
 firstrun=true
49 50
 while true; do

+ 2
- 0
charts/haproxy/templates/bin/_anchor.tpl View File

@@ -24,6 +24,7 @@ compare_copy_files() {
24 24
     if [ ! -e /host{{ .dest }} ] || ! cmp -s {{ .source }} /host{{ .dest }}; then
25 25
         mkdir -p $(dirname /host{{ .dest }})
26 26
         cp {{ .source }} /host{{ .dest }}
27
+        chmod go-rwx /host{{ .dest }}
27 28
     fi
28 29
     {{- end }}
29 30
 }
@@ -104,6 +105,7 @@ install_config() {
104 105
         else
105 106
             echo HAProxy config file unchanged.
106 107
         fi
108
+        chmod -R go-rwx $(dirname "$HAPROXY_CONF")
107 109
     fi
108 110
 }
109 111
 

+ 1
- 0
charts/scheduler/templates/bin/_anchor.tpl View File

@@ -22,6 +22,7 @@ compare_copy_files() {
22 22
     if [ ! -e /host{{ .dest }} ] || ! cmp -s {{ .source }} /host{{ .dest }}; then
23 23
         mkdir -p $(dirname /host{{ .dest }})
24 24
         cp {{ .source }} /host{{ .dest }}
25
+        chmod go-rwx /host{{ .dest }}
25 26
     fi
26 27
     {{- end }}
27 28
 }

+ 1
- 1
promenade/templates/include/up.sh View File

@@ -23,7 +23,7 @@ echo "{{ encrypted_tarball | b64enc }}" | base64 -d | {{ decrypt_command }} | ta
23 23
 set -x
24 24
 
25 25
 for DIR in "${CURATED_DIRS[@]}"; do
26
-    chmod go-rwx "${DIR}"
26
+    chmod -R go-rwx "${DIR}"
27 27
 done
28 28
 
29 29
 # Adding apt repositories

Loading…
Cancel
Save