Securely create temp directorys / files

The temp directory packstack was using was being created in an insecure manor with world readable permissions. This commit ensures temp directories are created securly on both the local and remote hosts o Create var directory with tempfile.mkdtemp o remove other places where var directory was created o change permissions of all files that do (or may) contain sensitive data to 600 o No longer append data to mainifest file, it is now created and writen out in once o Attempts to remove data on remote hosts after the packstach run CVE-2013-0261 https://bugzilla.redhat.com/show_bug.cgi?id=908101 Change-Id: Ie7105207d3da128d630628c1df037ffafc94beb8
2013-02-01 06:57:55 -05:00
parent 8f411ae818
commit 624d49a0e8
6 changed files with 70 additions and 15 deletions
--- a/packstack/modules/ospluginutils.py
+++ b/packstack/modules/ospluginutils.py
@@ -38,10 +38,12 @@ class NovaConfig(object):
 class ManifestFiles(object):
    def __init__(self):
        self.filelist = []
+        self.data = {}

    # continuous manifest file that have the same marker can be
    # installed in parallel, if on different servers
-    def addFile(self, filename, marker):
+    def addFile(self, filename, marker, data=''):
+        self.data[filename] = self.data.get(filename, '') + '\n' + data
        for f, p in self.filelist:
            if f == filename:
                return
@@ -49,6 +51,17 @@ class ManifestFiles(object):

    def getFiles(self):
        return [f for f in self.filelist]
+
+    def writeManifests(self):
+        """
+        Write out the manifest data to disk, this should only be called once
+        write before the puppet manifests are copied to the various servers
+        """
+        os.mkdir(basedefs.PUPPET_MANIFEST_DIR, 0700)
+        for file, data in self.data.items():
+            fd = os.open(file, os.O_WRONLY | os.O_CREAT | os.O_EXCL, 0600)
+            with os.fdopen(fd, 'w') as fp:
+                fp.write(data)
 manifestfiles = ManifestFiles()


@@ -58,13 +71,8 @@ def getManifestTemplate(template_name):


 def appendManifestFile(manifest_name, data, marker=''):
-    if not os.path.exists(basedefs.PUPPET_MANIFEST_DIR):
-        os.mkdir(basedefs.PUPPET_MANIFEST_DIR)
    manifestfile = os.path.join(basedefs.PUPPET_MANIFEST_DIR, manifest_name)
-    manifestfiles.addFile(manifestfile, marker)
-    with open(manifestfile, 'a') as fp:
-        fp.write("\n")
-        fp.write(data)
+    manifestfiles.addFile(manifestfile, marker, data)


 def gethostlist(CONF):