Secure host file permissions

* added in missing recursive flag to the chmod command used to remove extraneous permissions from CURATED_DIRS * added commands to change permissions for manifests and configurations that are copied to the host Change-Id: I174db09061c3162db11dd976a55132f5fad7a80d
2018-10-15 12:50:53 -05:00 · 2018-10-15 12:50:53 -05:00 · 8b45a36419
commit 8b45a36419
parent 9f2e6b89e1
6 changed files with 7 additions and 1 deletions
--- a/charts/apiserver/templates/bin/_anchor.tpl
+++ b/charts/apiserver/templates/bin/_anchor.tpl
@ -21,6 +21,7 @@ compare_copy_files() {
    if [ ! -e /host{{ .dest }} ] || ! cmp -s {{ .source }} /host{{ .dest }}; then
        mkdir -p $(dirname /host{{ .dest }})
        cp {{ .source }} /host{{ .dest }}
+        chmod go-rwx /host{{ .dest }}
    fi
    {{end}}
 }
--- a/charts/controller_manager/templates/bin/_anchor.tpl
+++ b/charts/controller_manager/templates/bin/_anchor.tpl
@ -21,6 +21,7 @@ compare_copy_files() {
    if [ ! -e /host{{ .dest }} ] || ! cmp -s {{ .source }} /host{{ .dest }}; then
        mkdir -p $(dirname /host{{ .dest }})
        cp {{ .source }} /host{{ .dest }}
+        chmod go-rwx /host{{ .dest }}
    fi
    {{end}}
 }
--- a/charts/etcd/templates/bin/_etcdctl_anchor.tpl
+++ b/charts/etcd/templates/bin/_etcdctl_anchor.tpl
@ -44,6 +44,7 @@ function sync_configuration {
    ETCD_INITIAL_CLUSTER_STATE=existing
    create_manifest "$ETCD_INITIAL_CLUSTER" "$ETCD_INITIAL_CLUSTER_STATE" "$TEMP_MANIFEST"
    sync_file "${TEMP_MANIFEST}" "${MANIFEST_PATH}"
+    chmod go-rwx "${MANIFEST_PATH}"
 }
 firstrun=true
 while true; do
--- a/charts/haproxy/templates/bin/_anchor.tpl
+++ b/charts/haproxy/templates/bin/_anchor.tpl
@ -24,6 +24,7 @@ compare_copy_files() {
    if [ ! -e /host{{ .dest }} ] || ! cmp -s {{ .source }} /host{{ .dest }}; then
        mkdir -p $(dirname /host{{ .dest }})
        cp {{ .source }} /host{{ .dest }}
+        chmod go-rwx /host{{ .dest }}
    fi
    {{- end }}
 }
@ -104,6 +105,7 @@ install_config() {
        else
            echo HAProxy config file unchanged.
        fi
+        chmod -R go-rwx $(dirname "$HAPROXY_CONF")
    fi
 }

--- a/charts/scheduler/templates/bin/_anchor.tpl
+++ b/charts/scheduler/templates/bin/_anchor.tpl
@ -22,6 +22,7 @@ compare_copy_files() {
    if [ ! -e /host{{ .dest }} ] || ! cmp -s {{ .source }} /host{{ .dest }}; then
        mkdir -p $(dirname /host{{ .dest }})
        cp {{ .source }} /host{{ .dest }}
+        chmod go-rwx /host{{ .dest }}
    fi
    {{- end }}
 }
--- a/promenade/templates/include/up.sh
+++ b/promenade/templates/include/up.sh
@ -23,7 +23,7 @@ echo "{{ encrypted_tarball | b64enc }}" | base64 -d | {{ decrypt_command }} | ta
 set -x

 for DIR in "${CURATED_DIRS[@]}"; do
-    chmod go-rwx "${DIR}"
+    chmod -R go-rwx "${DIR}"
 done

 # Adding apt repositories