Fixes insecure update of /etc/fstab file

Reasons: - While updating /etc/fstab in write_to_fstab in trove/guestagent/volume.py, the temporary file-name was easy to guess and had a permanent name making it prone to unwanted access. - The temporary file-permission was set to 666, making it insecure. Changes: - Uses NamedTemporaryFile for temporary file creation. - Used file reading instead of copying the file. - These changes eliminate the chances of guessing the file-name, as well as updating the same. Change-Id: I07c3980e40fe218d35605a851a17535cd3972c11 Closes-Bug: #1267991
2014-01-25 12:17:41 +00:00
parent 7aedda8d8d
commit e966dd4881
2 changed files with 12 additions and 10 deletions
--- a/trove/guestagent/volume.py
+++ b/trove/guestagent/volume.py
@@ -13,14 +13,16 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

-from trove.openstack.common import log as logging
 import os
 import pexpect
+from tempfile import NamedTemporaryFile

 from trove.common import cfg
 from trove.common import utils
 from trove.common.exception import GuestError
 from trove.common.exception import ProcessExecutionError
+from trove.openstack.common import log as logging
+from trove.openstack.common.gettextutils import _

 TMP_MOUNT_POINT = "/mnt/volume"

@@ -141,11 +143,11 @@ class VolumeMountPoint(object):
        fstab_line = ("%s\t%s\t%s\t%s\t0\t0" %
                      (self.device_path, self.mount_point, self.volume_fstype,
                       self.mount_options))
-        LOG.debug("Writing new line to fstab:%s" % fstab_line)
-        utils.execute("sudo", "cp", "/etc/fstab", "/etc/fstab.orig")
-        utils.execute("sudo", "cp", "/etc/fstab", "/tmp/newfstab")
-        utils.execute("sudo", "chmod", "666", "/tmp/newfstab")
-        with open("/tmp/newfstab", 'a') as new_fstab:
-            new_fstab.write("\n" + fstab_line)
-        utils.execute("sudo", "chmod", "640", "/tmp/newfstab")
-        utils.execute("sudo", "mv", "/tmp/newfstab", "/etc/fstab")
+        LOG.debug(_("Writing new line to fstab:%s") % fstab_line)
+        with open('/etc/fstab', "r") as fstab:
+            fstab_content = fstab.read()
+        with NamedTemporaryFile(delete=False) as tempfstab:
+            tempfstab.write(fstab_content + fstab_line)
+        utils.execute("sudo", "install", "-o", "root", "-g", "root", "-m",
+                      "644", tempfstab.name, "/etc/fstab")
+        utils.execute("sudo", "rm", tempfstab.name)
--- a/trove/tests/unittests/guestagent/test_volume.py
+++ b/trove/tests/unittests/guestagent/test_volume.py
@@ -179,5 +179,5 @@ class VolumeMountPointTest(testtools.TestCase):
            pass
        self.volumeMountPoint.write_to_fstab()

-        self.assertEqual(5, utils.execute.call_count)
+        self.assertEqual(2, utils.execute.call_count)
        utils.execute = origin_execute