enforce 600 (owner only) permission on config file (#657)

2016-06-17 17:22:49 -07:00
parent ee49775973
commit 7bea86d507
3 changed files with 19 additions and 1 deletions
--- a/cli/tests/unit/test_task.py
+++ b/cli/tests/unit/test_task.py
@@ -25,7 +25,6 @@ def test_log_master_unavailable(config_mock):
 def test_log_no_tasks():
    """ Test slave's state.json being unavailable """
    with patch('dcos.mesos.DCOSClient.get_master_state', return_value={}), \
-            patch('dcos.mesos.DCOSClient.get_master_state', return_value={}), \
            patch('dcos.mesos.Master.tasks', return_value={}):

        stderr = b"""No matching tasks. Exiting.\n"""
--- a/dcos/config.py
+++ b/dcos/config.py
@@ -2,6 +2,7 @@ import collections
 import copy
 import json
 import os
+import stat

 import pkg_resources
 import toml
@@ -152,6 +153,21 @@ def set_val(name, value):
    return toml_config, msg


+def _enforce_config_permissions(path):
+    """Enfore 600 permissions on config file
+
+    :param path: Path to the TOML file
+    :type path: str
+    :rtype: None
+    """
+    permissions = oct(stat.S_IMODE(os.lstat(path).st_mode))
+    if permissions not in ['0o600', '0600']:
+        msg = ("Permissions '{}' for configuration file '{}' are too open. "
+               "File must only be accessible by owner. "
+               "Aborting...".format(permissions, path))
+        raise DCOSException(msg)
+
+
 def load_from_path(path, mutable=False):
    """Loads a TOML file from the path

@@ -164,6 +180,7 @@ def load_from_path(path, mutable=False):
    """

    util.ensure_file_exists(path)
+    _enforce_config_permissions(path)
    with util.open_file(path, 'r') as config_file:
        try:
            toml_obj = toml.loads(config_file.read())
@@ -181,6 +198,7 @@ def save(toml_config):

    serial = toml.dumps(toml_config._dictionary)
    path = get_config_path()
+    _enforce_config_permissions(path)
    with util.open_file(path, 'w') as config_file:
        config_file.write(serial)

--- a/dcos/util.py
+++ b/dcos/util.py
@@ -146,6 +146,7 @@ def ensure_file_exists(path):
    if not os.path.exists(path):
        try:
            open(path, 'w').close()
+            os.chmod(path, 0o600)
        except IOError as e:
            raise DCOSException(
                'Cannot create file [{}]: {}'.format(path, e))