Fix protection of data folder and security files using Windows ACL.

2020-10-12 16:04:21 +03:00 · 2020-10-12 16:04:21 +03:00 · 84fe294c00
parent 5f6bdc6709
commit 84fe294c00
4 changed files with 55 additions and 16 deletions
--- a/16
+++ b/16
@ -104,13 +104,8 @@ all: | $(TOOLS) libnfuzz.so libnfuzz.a
 -include $(BUILD_SYSTEM_DIR)/makefiles/targets.mk

 ifeq ($(OS), Windows_NT)
-  ifeq ($(ARCH), x86)
-    # 32-bit Windows is not supported by libbacktrace/libunwind
-    USE_LIBBACKTRACE := 0
-  endif
-  MKDIR_COMMAND := mkdir -p
-else
-  MKDIR_COMMAND := mkdir -m 0750 -p
+	# libbacktrace/libunwind is disabled on Windows.
+  USE_LIBBACKTRACE := 0
 endif

 DEPOSITS_DELAY := 0
@ -190,7 +185,7 @@ testnet0 testnet1: | beacon_node signing_process
 #- https://www.gnu.org/software/make/manual/html_node/Multi_002dLine.html
 #- macOS doesn't support "=" at the end of "define FOO": https://stackoverflow.com/questions/13260396/gnu-make-3-81-eval-function-not-working
 define CONNECT_TO_NETWORK
-	$(MKDIR_COMMAND) build/data/shared_$(1)_$(NODE_ID)
+  scripts/makedir.sh build/data/shared_$(1)_$(NODE_ID))

 	scripts/make_prometheus_config.sh \
 		--nodes 1 \
@ -208,7 +203,7 @@ define CONNECT_TO_NETWORK
 endef

 define CONNECT_TO_NETWORK_IN_DEV_MODE
-	$(MKDIR_COMMAND) build/data/shared_$(1)_$(NODE_ID)
+  scripts/makedir.sh build/data/shared_$(1)_$(NODE_ID)

 	scripts/make_prometheus_config.sh \
 		--nodes 1 \
@ -224,7 +219,8 @@ endef

 define CONNECT_TO_NETWORK_WITH_VALIDATOR_CLIENT
 	# if launching a VC as well - send the BN looking nowhere for validators/secrets
-	$(MKDIR_COMMAND) build/data/shared_$(1)_$(NODE_ID)/empty_dummy_folder
+	scripts/makedir.sh build/data/shared_$(1)_$(NODE_ID)
+	scripts/makedir.sh build/data/shared_$(1)_$(NODE_ID)/empty_dummy_folder

 	scripts/make_prometheus_config.sh \
 		--nodes 1 \
--- a/beacon_chain/keystore_management.nim
+++ b/beacon_chain/keystore_management.nim
@ -76,6 +76,19 @@ proc checkAndCreateDataDir*(dataDir: string): bool =
        true
  elif defined(windows):
    if fileAccessible(dataDir, amask):
+      let cres = checkCurrentUserOnlyACL(dataDir)
+      if cres.isErr():
+        fatal "Could not check data folder's ACL",
+               data_dir = dataDir, errorCode = $cres.error,
+               errorMsg = ioErrorMsg(cres.error)
+        false
+      else:
+        if cres.get() == false:
+          fatal "Data folder has insecure ACL", data_dir = dataDir
+          false
+        else:
+          true
+    else:
      let res = createPath(dataDir, 0o750)
      if res.isErr():
        fatal "Could not create data folder", data_dir = dataDir,
@ -83,8 +96,6 @@ proc checkAndCreateDataDir*(dataDir: string): bool =
        false
      else:
        true
-    else:
-      true
  else:
    fatal "Unsupported operation system"
    return false
@ -93,9 +104,18 @@ proc checkSensitiveFilePermissions*(filePath: string): bool =
  ## Check if ``filePath`` has only "(600) rw-------" permissions.
  ## Procedure returns ``false`` if permissions are different
  when defined(windows):
-    # Windows do not support per-user/group/other permissions,
-    # skiping verification part.
-    true
+    let cres = checkCurrentUserOnlyACL(filePath)
+    if cres.isErr():
+      fatal "Could not check file's ACL",
+             key_path = filePath, errorCode = $cres.error,
+             errorMsg = ioErrorMsg(cres.error)
+      false
+    else:
+      if cres.get() == false:
+        fatal "File has insecure permissions", key_path = filePath
+        false
+      else:
+        true
  else:
    let allowedMask = {UserRead, UserWrite}
    let mask = {UserExec,
--- a/scripts/makedir.sh
+++ b/scripts/makedir.sh
@ -0,0 +1,23 @@
+#!/bin/bash
+
+# Copyright (c) 2018-2019 Status Research & Development GmbH. Licensed under
+# either of:
+# - Apache License, version 2.0
+# - MIT license
+# at your option. This file may not be copied, modified, or distributed except
+# according to those terms.
+
+if [[ $OS = "Windows_NT" ]]
+then
+  if [ ! -d "$1" ]; then
+    # Create full path.
+    mkdir -p $1;
+    # Remove all inherited aces from path $1 ACL.
+    icacls $1 /inheritance:r &> /dev/null;
+    # Grant full access rights to current user only in $1 ACL.
+    icacls $1 /grant:r $USERDOMAIN\\$USERNAME:\(OI\)\(CI\)F &> /dev/null;
+  fi
+else
+  # Create full path with 0750 permissions.
+  mkdir -m 0750 -p $(1)
+fi
--- a/vendor/nim-stew
+++ b/vendor/nim-stew
@ -1 +1 @@
-Subproject commit 529517d84837d8848dde769eea4d93a1a657a279
+Subproject commit 70b4500af835be8cf71b06c4a84af49c52dd1792