status-im/nimbus-eth2
2
0
Fork 0
mirror of https://github.com/status-im/nimbus-eth2.git synced 2025-02-16 16:38:07 +00:00
Code Issues Projects Releases Wiki Activity

Fix protection of data folder and security files using Windows ACL.

Browse Source
This commit is contained in:
cheatfate 2020-10-12 16:04:21 +03:00 committed by zah
parent 5f6bdc6709
commit 84fe294c00
4 changed files with 55 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
Makefile
View File

@ -104,13 +104,8 @@ all: | $(TOOLS) libnfuzz.so libnfuzz.a
-include $(BUILD_SYSTEM_DIR)/makefiles/targets.mk -include $(BUILD_SYSTEM_DIR)/makefiles/targets.mk
ifeq ($(OS), Windows_NT) ifeq ($(OS), Windows_NT)
ifeq ($(ARCH), x86) # libbacktrace/libunwind is disabled on Windows.
# 32-bit Windows is not supported by libbacktrace/libunwind USE_LIBBACKTRACE := 0
USE_LIBBACKTRACE := 0
endif
MKDIR_COMMAND := mkdir -p
else
MKDIR_COMMAND := mkdir -m 0750 -p
endif endif
DEPOSITS_DELAY := 0 DEPOSITS_DELAY := 0
@ -190,7 +185,7 @@ testnet0 testnet1: | beacon_node signing_process
#- https://www.gnu.org/software/make/manual/html_node/Multi_002dLine.html #- https://www.gnu.org/software/make/manual/html_node/Multi_002dLine.html
#- macOS doesn't support "=" at the end of "define FOO": https://stackoverflow.com/questions/13260396/gnu-make-3-81-eval-function-not-working #- macOS doesn't support "=" at the end of "define FOO": https://stackoverflow.com/questions/13260396/gnu-make-3-81-eval-function-not-working
define CONNECT_TO_NETWORK define CONNECT_TO_NETWORK
$(MKDIR_COMMAND) build/data/shared_$(1)_$(NODE_ID) scripts/makedir.sh build/data/shared_$(1)_$(NODE_ID))
scripts/make_prometheus_config.sh \ scripts/make_prometheus_config.sh \
--nodes 1 \ --nodes 1 \
@ -208,7 +203,7 @@ define CONNECT_TO_NETWORK
endef endef
define CONNECT_TO_NETWORK_IN_DEV_MODE define CONNECT_TO_NETWORK_IN_DEV_MODE
$(MKDIR_COMMAND) build/data/shared_$(1)_$(NODE_ID) scripts/makedir.sh build/data/shared_$(1)_$(NODE_ID)
scripts/make_prometheus_config.sh \ scripts/make_prometheus_config.sh \
--nodes 1 \ --nodes 1 \
@ -224,7 +219,8 @@ endef
define CONNECT_TO_NETWORK_WITH_VALIDATOR_CLIENT define CONNECT_TO_NETWORK_WITH_VALIDATOR_CLIENT
# if launching a VC as well - send the BN looking nowhere for validators/secrets # if launching a VC as well - send the BN looking nowhere for validators/secrets
$(MKDIR_COMMAND) build/data/shared_$(1)_$(NODE_ID)/empty_dummy_folder scripts/makedir.sh build/data/shared_$(1)_$(NODE_ID)
scripts/makedir.sh build/data/shared_$(1)_$(NODE_ID)/empty_dummy_folder
scripts/make_prometheus_config.sh \ scripts/make_prometheus_config.sh \
--nodes 1 \ --nodes 1 \

30
beacon_chain/keystore_management.nim
View File

@ -76,6 +76,19 @@ proc checkAndCreateDataDir*(dataDir: string): bool =
true true
elif defined(windows): elif defined(windows):
if fileAccessible(dataDir, amask): if fileAccessible(dataDir, amask):
let cres = checkCurrentUserOnlyACL(dataDir)
if cres.isErr():
fatal "Could not check data folder's ACL",
data_dir = dataDir, errorCode = $cres.error,
errorMsg = ioErrorMsg(cres.error)
false
else:
if cres.get() == false:
fatal "Data folder has insecure ACL", data_dir = dataDir
false
else:
true
else:
let res = createPath(dataDir, 0o750) let res = createPath(dataDir, 0o750)
if res.isErr(): if res.isErr():
fatal "Could not create data folder", data_dir = dataDir, fatal "Could not create data folder", data_dir = dataDir,
@ -83,8 +96,6 @@ proc checkAndCreateDataDir*(dataDir: string): bool =
false false
else: else:
true true
else:
true
else: else:
fatal "Unsupported operation system" fatal "Unsupported operation system"
return false return false
@ -93,9 +104,18 @@ proc checkSensitiveFilePermissions*(filePath: string): bool =
## Check if ``filePath`` has only "(600) rw-------" permissions. ## Check if ``filePath`` has only "(600) rw-------" permissions.
## Procedure returns ``false`` if permissions are different ## Procedure returns ``false`` if permissions are different
when defined(windows): when defined(windows):
# Windows do not support per-user/group/other permissions, let cres = checkCurrentUserOnlyACL(filePath)
# skiping verification part. if cres.isErr():
true fatal "Could not check file's ACL",
key_path = filePath, errorCode = $cres.error,
errorMsg = ioErrorMsg(cres.error)
false
else:
if cres.get() == false:
fatal "File has insecure permissions", key_path = filePath
false
else:
true
else: else:
let allowedMask = {UserRead, UserWrite} let allowedMask = {UserRead, UserWrite}
let mask = {UserExec, let mask = {UserExec,

23
scripts/makedir.sh Normal file
View File

@ -0,0 +1,23 @@
#!/bin/bash
# Copyright (c) 2018-2019 Status Research & Development GmbH. Licensed under
# either of:
# - Apache License, version 2.0
# - MIT license
# at your option. This file may not be copied, modified, or distributed except
# according to those terms.
if [[ $OS = "Windows_NT" ]]
then
if [ ! -d "$1" ]; then
# Create full path.
mkdir -p $1;
# Remove all inherited aces from path $1 ACL.
icacls $1 /inheritance:r &> /dev/null;
# Grant full access rights to current user only in $1 ACL.
icacls $1 /grant:r $USERDOMAIN\\$USERNAME:\(OI\)\(CI\)F &> /dev/null;
fi
else
# Create full path with 0750 permissions.
mkdir -m 0750 -p $(1)
fi

2
vendor/nim-stew vendored

@ -1 +1 @@
Subproject commit 529517d84837d8848dde769eea4d93a1a657a279 Subproject commit 70b4500af835be8cf71b06c4a84af49c52dd1792