status-im/nimbus-eth2
2
0
Fork 0
mirror of https://github.com/status-im/nimbus-eth2.git synced 2025-02-19 17:58:23 +00:00
Code Issues Projects Releases Wiki Activity

set file and dir permissions

Browse Source
This commit is contained in:
Ștefan Talpalaru 2020-10-30 01:36:47 +01:00 committed by zah
parent 4479c0a9f1
commit 9c5cef346b
4 changed files with 63 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
beacon_chain/filepath.nim
View File

@ -14,9 +14,9 @@ proc secureCreatePath*(path: string): IoResult[void] =
err(sres.error) err(sres.error)
else: else:
var sd = sres.get() var sd = sres.get()
createPath(path, 0o750, secDescriptor = sd.getDescriptor()) createPath(path, 0o700, secDescriptor = sd.getDescriptor())
else: else:
createPath(path, 0o750) createPath(path, 0o700)
proc secureWriteFile*[T: byte|char](path: string, proc secureWriteFile*[T: byte|char](path: string,
data: openArray[T]): IoResult[void] = data: openArray[T]): IoResult[void] =

115
beacon_chain/keystore_management.nim
View File

@ -44,104 +44,103 @@ proc echoP(msg: string) =
echo wrapWords(msg, 80) echo wrapWords(msg, 80)
proc checkAndCreateDataDir*(dataDir: string): bool = proc checkAndCreateDataDir*(dataDir: string): bool =
## Checks `conf.dataDir`.
## If folder exists, procedure will check it for access and
## permissions `0750 (rwxr-x---)`, if folder do not exists it will be created
## with permissions `0750 (rwxr-x---)`.
let amask = {AccessFlags.Read, AccessFlags.Write, AccessFlags.Execute}
when defined(posix): when defined(posix):
if fileAccessible(dataDir, amask): let requiredPerms = 0o700
let gmask = {UserRead, UserWrite, UserExec, GroupRead, GroupExec} if isDir(dataDir):
let pmask = {OtherRead, OtherWrite, OtherExec, GroupWrite} let currPermsRes = getPermissions(dataDir)
let pres = getPermissionsSet(dataDir) if currPermsRes.isErr():
if pres.isErr(): fatal "Could not check data directory permissions",
fatal "Could not check data folder permissions", data_dir = dataDir, errorCode = $currPermsRes.error,
data_dir = dataDir, errorCode = $pres.error, errorMsg = ioErrorMsg(currPermsRes.error)
errorMsg = ioErrorMsg(pres.error) return false
false
else: else:
let insecurePermissions = pres.get() * pmask let currPerms = currPermsRes.get()
if insecurePermissions != {}: if currPerms != requiredPerms:
fatal "Data folder has insecure permissions", warn "Data directory has insecure permissions. Correcting them.",
data_dir = dataDir, data_dir = dataDir,
insecure_permissions = $insecurePermissions, current_permissions = currPerms.toOct(4),
current_permissions = pres.get().toString(), required_permissions = requiredPerms.toOct(4)
required_permissions = gmask.toString() let newPermsRes = setPermissions(dataDir, requiredPerms)
false if newPermsRes.isErr():
else: fatal "Could not set data directory permissions",
true data_dir = dataDir,
errorCode = $newPermsRes.error,
errorMsg = ioErrorMsg(newPermsRes.error),
old_permissions = currPerms.toOct(4),
new_permissions = requiredPerms.toOct(4)
return false
else: else:
let res = secureCreatePath(dataDir) let res = secureCreatePath(dataDir)
if res.isErr(): if res.isErr():
fatal "Could not create data folder", data_dir = dataDir, fatal "Could not create data directory", data_dir = dataDir,
errorMsg = ioErrorMsg(res.error), errorCode = $res.error errorMsg = ioErrorMsg(res.error), errorCode = $res.error
false return false
else:
true
elif defined(windows): elif defined(windows):
let amask = {AccessFlags.Read, AccessFlags.Write, AccessFlags.Execute}
if fileAccessible(dataDir, amask): if fileAccessible(dataDir, amask):
let cres = checkCurrentUserOnlyACL(dataDir) let cres = checkCurrentUserOnlyACL(dataDir)
if cres.isErr(): if cres.isErr():
fatal "Could not check data folder's ACL", fatal "Could not check data folder's ACL",
data_dir = dataDir, errorCode = $cres.error, data_dir = dataDir, errorCode = $cres.error,
errorMsg = ioErrorMsg(cres.error) errorMsg = ioErrorMsg(cres.error)
false return false
else: else:
if cres.get() == false: if cres.get() == false:
fatal "Data folder has insecure ACL", data_dir = dataDir fatal "Data folder has insecure ACL", data_dir = dataDir
false return false
else:
true
else: else:
let res = secureCreatePath(dataDir) let res = secureCreatePath(dataDir)
if res.isErr(): if res.isErr():
fatal "Could not create data folder", data_dir = dataDir, fatal "Could not create data folder", data_dir = dataDir,
errorMsg = ioErrorMsg(res.error), errorCode = $res.error errorMsg = ioErrorMsg(res.error), errorCode = $res.error
false return false
else:
true
else: else:
fatal "Unsupported operation system" fatal "Unsupported operation system"
return false return false
return true
proc checkSensitiveFilePermissions*(filePath: string): bool = proc checkSensitiveFilePermissions*(filePath: string): bool =
## Check if ``filePath`` has only "(600) rw-------" permissions. ## Check if ``filePath`` has only "(600) rw-------" permissions.
## Procedure returns ``false`` if permissions are different ## Procedure returns ``false`` if permissions are different and we can't
## correct them.
when defined(windows): when defined(windows):
let cres = checkCurrentUserOnlyACL(filePath) let cres = checkCurrentUserOnlyACL(filePath)
if cres.isErr(): if cres.isErr():
fatal "Could not check file's ACL", fatal "Could not check file's ACL",
key_path = filePath, errorCode = $cres.error, key_path = filePath, errorCode = $cres.error,
errorMsg = ioErrorMsg(cres.error) errorMsg = ioErrorMsg(cres.error)
false return false
else: else:
if cres.get() == false: if cres.get() == false:
fatal "File has insecure permissions", key_path = filePath fatal "File has insecure permissions", key_path = filePath
false return false
else:
true
else: else:
let allowedMask = {UserRead, UserWrite} let requiredPerms = 0o600
let mask = {UserExec, let currPermsRes = getPermissions(filePath)
GroupRead, GroupWrite, GroupExec, if currPermsRes.isErr():
OtherRead, OtherWrite, OtherExec}
let pres = getPermissionsSet(filePath)
if pres.isErr():
error "Could not check file permissions", error "Could not check file permissions",
key_path = filePath, errorCode = $pres.error, key_path = filePath, errorCode = $currPermsRes.error,
errorMsg = ioErrorMsg(pres.error) errorMsg = ioErrorMsg(currPermsRes.error)
false return false
else: else:
let insecurePermissions = pres.get() * mask let currPerms = currPermsRes.get()
if insecurePermissions != {}: if currPerms != requiredPerms:
error "File has insecure permissions", warn "File has insecure permissions. Correcting them.",
key_path = filePath, key_path = filePath,
insecure_permissions = $insecurePermissions, current_permissions = currPerms.toOct(4),
current_permissions = pres.get().toString(), required_permissions = requiredPerms.toOct(4)
required_permissions = allowedMask.toString() let newPermsRes = setPermissions(filePath, requiredPerms)
false if newPermsRes.isErr():
else: fatal "Could not set data directory permissions",
true key_path = filePath,
errorCode = $newPermsRes.error,
errorMsg = ioErrorMsg(newPermsRes.error),
old_permissions = currPerms.toOct(4),
new_permissions = requiredPerms.toOct(4)
return false
return true
proc keyboardCreatePassword(prompt: string, proc keyboardCreatePassword(prompt: string,
confirm: string, confirm: string,

4
scripts/launch_local_testnet.sh
View File

@ -161,7 +161,7 @@ if [[ "$REUSE_EXISTING_DATA_DIR" == "0" ]]; then
rm -rf "${DATA_DIR}" rm -rf "${DATA_DIR}"
fi fi
mkdir -m 0750 -p "${DATA_DIR}" mkdir -m 0700 -p "${DATA_DIR}"
DEPOSITS_FILE="${DATA_DIR}/deposits.json" DEPOSITS_FILE="${DATA_DIR}/deposits.json"
@ -341,7 +341,7 @@ for NUM_NODE in $(seq 0 $(( NUM_NODES - 1 ))); do
# The first $NODES_WITH_VALIDATORS nodes split them equally between them, after skipping the first $USER_VALIDATORS. # The first $NODES_WITH_VALIDATORS nodes split them equally between them, after skipping the first $USER_VALIDATORS.
NODE_DATA_DIR="${DATA_DIR}/node${NUM_NODE}" NODE_DATA_DIR="${DATA_DIR}/node${NUM_NODE}"
rm -rf "${NODE_DATA_DIR}" rm -rf "${NODE_DATA_DIR}"
mkdir -m 0750 -p "${NODE_DATA_DIR}" mkdir -m 0700 -p "${NODE_DATA_DIR}"
mkdir -p "${NODE_DATA_DIR}/validators" mkdir -p "${NODE_DATA_DIR}/validators"
mkdir -p "${NODE_DATA_DIR}/secrets" mkdir -p "${NODE_DATA_DIR}/secrets"

4
scripts/makedir.sh
View File

@ -24,7 +24,7 @@ if [[ "${ON_WINDOWS}" == "1" ]]; then
icacls "$1" /inheritance:r /grant:r $USERDOMAIN\\$USERNAME:\(OI\)\(CI\)\(F\)&>/dev/null; icacls "$1" /inheritance:r /grant:r $USERDOMAIN\\$USERNAME:\(OI\)\(CI\)\(F\)&>/dev/null;
fi fi
else else
# Create full path with 0750 permissions. # Create full path with proper permissions.
mkdir -m 0750 -p "$1" mkdir -m 0700 -p $1
fi fi