set file and dir permissions
This commit is contained in:
parent
4479c0a9f1
commit
9c5cef346b
|
@ -14,9 +14,9 @@ proc secureCreatePath*(path: string): IoResult[void] =
|
|||
err(sres.error)
|
||||
else:
|
||||
var sd = sres.get()
|
||||
createPath(path, 0o750, secDescriptor = sd.getDescriptor())
|
||||
createPath(path, 0o700, secDescriptor = sd.getDescriptor())
|
||||
else:
|
||||
createPath(path, 0o750)
|
||||
createPath(path, 0o700)
|
||||
|
||||
proc secureWriteFile*[T: byte|char](path: string,
|
||||
data: openArray[T]): IoResult[void] =
|
||||
|
|
|
@ -44,104 +44,103 @@ proc echoP(msg: string) =
|
|||
echo wrapWords(msg, 80)
|
||||
|
||||
proc checkAndCreateDataDir*(dataDir: string): bool =
|
||||
## Checks `conf.dataDir`.
|
||||
## If folder exists, procedure will check it for access and
|
||||
## permissions `0750 (rwxr-x---)`, if folder do not exists it will be created
|
||||
## with permissions `0750 (rwxr-x---)`.
|
||||
let amask = {AccessFlags.Read, AccessFlags.Write, AccessFlags.Execute}
|
||||
when defined(posix):
|
||||
if fileAccessible(dataDir, amask):
|
||||
let gmask = {UserRead, UserWrite, UserExec, GroupRead, GroupExec}
|
||||
let pmask = {OtherRead, OtherWrite, OtherExec, GroupWrite}
|
||||
let pres = getPermissionsSet(dataDir)
|
||||
if pres.isErr():
|
||||
fatal "Could not check data folder permissions",
|
||||
data_dir = dataDir, errorCode = $pres.error,
|
||||
errorMsg = ioErrorMsg(pres.error)
|
||||
false
|
||||
let requiredPerms = 0o700
|
||||
if isDir(dataDir):
|
||||
let currPermsRes = getPermissions(dataDir)
|
||||
if currPermsRes.isErr():
|
||||
fatal "Could not check data directory permissions",
|
||||
data_dir = dataDir, errorCode = $currPermsRes.error,
|
||||
errorMsg = ioErrorMsg(currPermsRes.error)
|
||||
return false
|
||||
else:
|
||||
let insecurePermissions = pres.get() * pmask
|
||||
if insecurePermissions != {}:
|
||||
fatal "Data folder has insecure permissions",
|
||||
let currPerms = currPermsRes.get()
|
||||
if currPerms != requiredPerms:
|
||||
warn "Data directory has insecure permissions. Correcting them.",
|
||||
data_dir = dataDir,
|
||||
insecure_permissions = $insecurePermissions,
|
||||
current_permissions = pres.get().toString(),
|
||||
required_permissions = gmask.toString()
|
||||
false
|
||||
else:
|
||||
true
|
||||
current_permissions = currPerms.toOct(4),
|
||||
required_permissions = requiredPerms.toOct(4)
|
||||
let newPermsRes = setPermissions(dataDir, requiredPerms)
|
||||
if newPermsRes.isErr():
|
||||
fatal "Could not set data directory permissions",
|
||||
data_dir = dataDir,
|
||||
errorCode = $newPermsRes.error,
|
||||
errorMsg = ioErrorMsg(newPermsRes.error),
|
||||
old_permissions = currPerms.toOct(4),
|
||||
new_permissions = requiredPerms.toOct(4)
|
||||
return false
|
||||
else:
|
||||
let res = secureCreatePath(dataDir)
|
||||
if res.isErr():
|
||||
fatal "Could not create data folder", data_dir = dataDir,
|
||||
fatal "Could not create data directory", data_dir = dataDir,
|
||||
errorMsg = ioErrorMsg(res.error), errorCode = $res.error
|
||||
false
|
||||
else:
|
||||
true
|
||||
return false
|
||||
elif defined(windows):
|
||||
let amask = {AccessFlags.Read, AccessFlags.Write, AccessFlags.Execute}
|
||||
if fileAccessible(dataDir, amask):
|
||||
let cres = checkCurrentUserOnlyACL(dataDir)
|
||||
if cres.isErr():
|
||||
fatal "Could not check data folder's ACL",
|
||||
data_dir = dataDir, errorCode = $cres.error,
|
||||
errorMsg = ioErrorMsg(cres.error)
|
||||
false
|
||||
return false
|
||||
else:
|
||||
if cres.get() == false:
|
||||
fatal "Data folder has insecure ACL", data_dir = dataDir
|
||||
false
|
||||
else:
|
||||
true
|
||||
return false
|
||||
else:
|
||||
let res = secureCreatePath(dataDir)
|
||||
if res.isErr():
|
||||
fatal "Could not create data folder", data_dir = dataDir,
|
||||
errorMsg = ioErrorMsg(res.error), errorCode = $res.error
|
||||
false
|
||||
else:
|
||||
true
|
||||
return false
|
||||
else:
|
||||
fatal "Unsupported operation system"
|
||||
return false
|
||||
|
||||
return true
|
||||
|
||||
proc checkSensitiveFilePermissions*(filePath: string): bool =
|
||||
## Check if ``filePath`` has only "(600) rw-------" permissions.
|
||||
## Procedure returns ``false`` if permissions are different
|
||||
## Procedure returns ``false`` if permissions are different and we can't
|
||||
## correct them.
|
||||
when defined(windows):
|
||||
let cres = checkCurrentUserOnlyACL(filePath)
|
||||
if cres.isErr():
|
||||
fatal "Could not check file's ACL",
|
||||
key_path = filePath, errorCode = $cres.error,
|
||||
errorMsg = ioErrorMsg(cres.error)
|
||||
false
|
||||
return false
|
||||
else:
|
||||
if cres.get() == false:
|
||||
fatal "File has insecure permissions", key_path = filePath
|
||||
false
|
||||
return false
|
||||
else:
|
||||
true
|
||||
else:
|
||||
let allowedMask = {UserRead, UserWrite}
|
||||
let mask = {UserExec,
|
||||
GroupRead, GroupWrite, GroupExec,
|
||||
OtherRead, OtherWrite, OtherExec}
|
||||
let pres = getPermissionsSet(filePath)
|
||||
if pres.isErr():
|
||||
let requiredPerms = 0o600
|
||||
let currPermsRes = getPermissions(filePath)
|
||||
if currPermsRes.isErr():
|
||||
error "Could not check file permissions",
|
||||
key_path = filePath, errorCode = $pres.error,
|
||||
errorMsg = ioErrorMsg(pres.error)
|
||||
false
|
||||
key_path = filePath, errorCode = $currPermsRes.error,
|
||||
errorMsg = ioErrorMsg(currPermsRes.error)
|
||||
return false
|
||||
else:
|
||||
let insecurePermissions = pres.get() * mask
|
||||
if insecurePermissions != {}:
|
||||
error "File has insecure permissions",
|
||||
let currPerms = currPermsRes.get()
|
||||
if currPerms != requiredPerms:
|
||||
warn "File has insecure permissions. Correcting them.",
|
||||
key_path = filePath,
|
||||
insecure_permissions = $insecurePermissions,
|
||||
current_permissions = pres.get().toString(),
|
||||
required_permissions = allowedMask.toString()
|
||||
false
|
||||
else:
|
||||
true
|
||||
current_permissions = currPerms.toOct(4),
|
||||
required_permissions = requiredPerms.toOct(4)
|
||||
let newPermsRes = setPermissions(filePath, requiredPerms)
|
||||
if newPermsRes.isErr():
|
||||
fatal "Could not set data directory permissions",
|
||||
key_path = filePath,
|
||||
errorCode = $newPermsRes.error,
|
||||
errorMsg = ioErrorMsg(newPermsRes.error),
|
||||
old_permissions = currPerms.toOct(4),
|
||||
new_permissions = requiredPerms.toOct(4)
|
||||
return false
|
||||
|
||||
return true
|
||||
|
||||
proc keyboardCreatePassword(prompt: string,
|
||||
confirm: string,
|
||||
|
|
|
@ -161,7 +161,7 @@ if [[ "$REUSE_EXISTING_DATA_DIR" == "0" ]]; then
|
|||
rm -rf "${DATA_DIR}"
|
||||
fi
|
||||
|
||||
mkdir -m 0750 -p "${DATA_DIR}"
|
||||
mkdir -m 0700 -p "${DATA_DIR}"
|
||||
|
||||
DEPOSITS_FILE="${DATA_DIR}/deposits.json"
|
||||
|
||||
|
@ -341,7 +341,7 @@ for NUM_NODE in $(seq 0 $(( NUM_NODES - 1 ))); do
|
|||
# The first $NODES_WITH_VALIDATORS nodes split them equally between them, after skipping the first $USER_VALIDATORS.
|
||||
NODE_DATA_DIR="${DATA_DIR}/node${NUM_NODE}"
|
||||
rm -rf "${NODE_DATA_DIR}"
|
||||
mkdir -m 0750 -p "${NODE_DATA_DIR}"
|
||||
mkdir -m 0700 -p "${NODE_DATA_DIR}"
|
||||
mkdir -p "${NODE_DATA_DIR}/validators"
|
||||
mkdir -p "${NODE_DATA_DIR}/secrets"
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@ if [[ "${ON_WINDOWS}" == "1" ]]; then
|
|||
icacls "$1" /inheritance:r /grant:r $USERDOMAIN\\$USERNAME:\(OI\)\(CI\)\(F\)&>/dev/null;
|
||||
fi
|
||||
else
|
||||
# Create full path with 0750 permissions.
|
||||
mkdir -m 0750 -p "$1"
|
||||
# Create full path with proper permissions.
|
||||
mkdir -m 0700 -p $1
|
||||
fi
|
||||
|
||||
|
|
Loading…
Reference in New Issue