diff --git a/beacon_chain/filepath.nim b/beacon_chain/filepath.nim index 44f3937eb..d0331ca35 100644 --- a/beacon_chain/filepath.nim +++ b/beacon_chain/filepath.nim @@ -14,9 +14,9 @@ proc secureCreatePath*(path: string): IoResult[void] = err(sres.error) else: var sd = sres.get() - createPath(path, 0o750, secDescriptor = sd.getDescriptor()) + createPath(path, 0o700, secDescriptor = sd.getDescriptor()) else: - createPath(path, 0o750) + createPath(path, 0o700) proc secureWriteFile*[T: byte|char](path: string, data: openArray[T]): IoResult[void] = diff --git a/beacon_chain/keystore_management.nim b/beacon_chain/keystore_management.nim index bdf9156de..049caa108 100644 --- a/beacon_chain/keystore_management.nim +++ b/beacon_chain/keystore_management.nim @@ -44,104 +44,103 @@ proc echoP(msg: string) = echo wrapWords(msg, 80) proc checkAndCreateDataDir*(dataDir: string): bool = - ## Checks `conf.dataDir`. - ## If folder exists, procedure will check it for access and - ## permissions `0750 (rwxr-x---)`, if folder do not exists it will be created - ## with permissions `0750 (rwxr-x---)`. - let amask = {AccessFlags.Read, AccessFlags.Write, AccessFlags.Execute} when defined(posix): - if fileAccessible(dataDir, amask): - let gmask = {UserRead, UserWrite, UserExec, GroupRead, GroupExec} - let pmask = {OtherRead, OtherWrite, OtherExec, GroupWrite} - let pres = getPermissionsSet(dataDir) - if pres.isErr(): - fatal "Could not check data folder permissions", - data_dir = dataDir, errorCode = $pres.error, - errorMsg = ioErrorMsg(pres.error) - false + let requiredPerms = 0o700 + if isDir(dataDir): + let currPermsRes = getPermissions(dataDir) + if currPermsRes.isErr(): + fatal "Could not check data directory permissions", + data_dir = dataDir, errorCode = $currPermsRes.error, + errorMsg = ioErrorMsg(currPermsRes.error) + return false else: - let insecurePermissions = pres.get() * pmask - if insecurePermissions != {}: - fatal "Data folder has insecure permissions", - data_dir = dataDir, - insecure_permissions = $insecurePermissions, - current_permissions = pres.get().toString(), - required_permissions = gmask.toString() - false - else: - true + let currPerms = currPermsRes.get() + if currPerms != requiredPerms: + warn "Data directory has insecure permissions. Correcting them.", + data_dir = dataDir, + current_permissions = currPerms.toOct(4), + required_permissions = requiredPerms.toOct(4) + let newPermsRes = setPermissions(dataDir, requiredPerms) + if newPermsRes.isErr(): + fatal "Could not set data directory permissions", + data_dir = dataDir, + errorCode = $newPermsRes.error, + errorMsg = ioErrorMsg(newPermsRes.error), + old_permissions = currPerms.toOct(4), + new_permissions = requiredPerms.toOct(4) + return false else: let res = secureCreatePath(dataDir) if res.isErr(): - fatal "Could not create data folder", data_dir = dataDir, + fatal "Could not create data directory", data_dir = dataDir, errorMsg = ioErrorMsg(res.error), errorCode = $res.error - false - else: - true + return false elif defined(windows): + let amask = {AccessFlags.Read, AccessFlags.Write, AccessFlags.Execute} if fileAccessible(dataDir, amask): let cres = checkCurrentUserOnlyACL(dataDir) if cres.isErr(): fatal "Could not check data folder's ACL", data_dir = dataDir, errorCode = $cres.error, errorMsg = ioErrorMsg(cres.error) - false + return false else: if cres.get() == false: fatal "Data folder has insecure ACL", data_dir = dataDir - false - else: - true + return false else: let res = secureCreatePath(dataDir) if res.isErr(): fatal "Could not create data folder", data_dir = dataDir, errorMsg = ioErrorMsg(res.error), errorCode = $res.error - false - else: - true + return false else: fatal "Unsupported operation system" return false + return true + proc checkSensitiveFilePermissions*(filePath: string): bool = ## Check if ``filePath`` has only "(600) rw-------" permissions. - ## Procedure returns ``false`` if permissions are different + ## Procedure returns ``false`` if permissions are different and we can't + ## correct them. when defined(windows): let cres = checkCurrentUserOnlyACL(filePath) if cres.isErr(): fatal "Could not check file's ACL", key_path = filePath, errorCode = $cres.error, errorMsg = ioErrorMsg(cres.error) - false + return false else: if cres.get() == false: fatal "File has insecure permissions", key_path = filePath - false - else: - true + return false else: - let allowedMask = {UserRead, UserWrite} - let mask = {UserExec, - GroupRead, GroupWrite, GroupExec, - OtherRead, OtherWrite, OtherExec} - let pres = getPermissionsSet(filePath) - if pres.isErr(): + let requiredPerms = 0o600 + let currPermsRes = getPermissions(filePath) + if currPermsRes.isErr(): error "Could not check file permissions", - key_path = filePath, errorCode = $pres.error, - errorMsg = ioErrorMsg(pres.error) - false + key_path = filePath, errorCode = $currPermsRes.error, + errorMsg = ioErrorMsg(currPermsRes.error) + return false else: - let insecurePermissions = pres.get() * mask - if insecurePermissions != {}: - error "File has insecure permissions", + let currPerms = currPermsRes.get() + if currPerms != requiredPerms: + warn "File has insecure permissions. Correcting them.", key_path = filePath, - insecure_permissions = $insecurePermissions, - current_permissions = pres.get().toString(), - required_permissions = allowedMask.toString() - false - else: - true + current_permissions = currPerms.toOct(4), + required_permissions = requiredPerms.toOct(4) + let newPermsRes = setPermissions(filePath, requiredPerms) + if newPermsRes.isErr(): + fatal "Could not set data directory permissions", + key_path = filePath, + errorCode = $newPermsRes.error, + errorMsg = ioErrorMsg(newPermsRes.error), + old_permissions = currPerms.toOct(4), + new_permissions = requiredPerms.toOct(4) + return false + + return true proc keyboardCreatePassword(prompt: string, confirm: string, diff --git a/scripts/launch_local_testnet.sh b/scripts/launch_local_testnet.sh index 7583a6fa7..e08a44413 100755 --- a/scripts/launch_local_testnet.sh +++ b/scripts/launch_local_testnet.sh @@ -161,7 +161,7 @@ if [[ "$REUSE_EXISTING_DATA_DIR" == "0" ]]; then rm -rf "${DATA_DIR}" fi -mkdir -m 0750 -p "${DATA_DIR}" +mkdir -m 0700 -p "${DATA_DIR}" DEPOSITS_FILE="${DATA_DIR}/deposits.json" @@ -341,7 +341,7 @@ for NUM_NODE in $(seq 0 $(( NUM_NODES - 1 ))); do # The first $NODES_WITH_VALIDATORS nodes split them equally between them, after skipping the first $USER_VALIDATORS. NODE_DATA_DIR="${DATA_DIR}/node${NUM_NODE}" rm -rf "${NODE_DATA_DIR}" - mkdir -m 0750 -p "${NODE_DATA_DIR}" + mkdir -m 0700 -p "${NODE_DATA_DIR}" mkdir -p "${NODE_DATA_DIR}/validators" mkdir -p "${NODE_DATA_DIR}/secrets" diff --git a/scripts/makedir.sh b/scripts/makedir.sh index 5420fe3bd..46e8b25dc 100755 --- a/scripts/makedir.sh +++ b/scripts/makedir.sh @@ -24,7 +24,7 @@ if [[ "${ON_WINDOWS}" == "1" ]]; then icacls "$1" /inheritance:r /grant:r $USERDOMAIN\\$USERNAME:\(OI\)\(CI\)\(F\)&>/dev/null; fi else - # Create full path with 0750 permissions. - mkdir -m 0750 -p "$1" + # Create full path with proper permissions. + mkdir -m 0700 -p $1 fi