Determine and implement proper file permissions on Airship2 generated files #188
Comments
alexander-hughes
added
enhancement
|
I would like to pick up this story. Please assign to me |
drewwalters96
added
priority/medium
|
There are several different places in airshipctl that create files; please be sure to address all of them as part of this issue. Example: Let's please create a new configuration item that defines the permissions value to use for files & directories; by default use 640 for files & 750 for directories, but allow operators to override that in the config file. |
|
@arnavaroy26 all yours |
|
@arnavaroy26 when you start working on this, please take a look at this filesystem that we have in document model. i think we may want to use the same FS everywhere and control permissions via it: https://github.com/airshipit/airshipctl/blob/master/pkg/document/filesystem.go |
jezogwza
added
the
priority/low
|
Unless we would ever require to define different owner:group & octal unix file permissions for different files and directories, what we need is to ensure that current umask setting fits our (security) needs. Umask would allow us to control permissions for files and directories being created while airshipctl is being run. User:group would always be same as user:group of a user who runs airshipctl (otherwise we would have to run airshipctl as root, which is another problem we wouldn't want to solve). Could we only have a desired umask setting and on every launch check that actual umask fits our needs? |
|
I would like to work on this issue, please assign to me. |
Related Change #741552Subject: Implements proper permissions on airship2 generated files This change will close this issue when merged. ApprovalsCode-Review
+2 Ian Howell
+1 Bijaya Sharma
+2 Dmitry Ukov
Verified
+2 Zuul
Workflow
+1 Dmitry UkovLast Updated: 2020-08-11 07:15:03 CDT |
airshipbot
added
ready for review
|
The Change that closes this issue was merged. |
airshipbot
added
ready for review
eak13
removed
the
ready for review
Problem description (if applicable)
Airship2 will be responsible for generating a number of files, some of which will contain secrets. The default permissions set when generated via Go are overly permissive.
In Airship1 Pegleg acted as the front door generating files, encrypting files, and generating the genesis bundle. A stance was taken of setting 640 permissions on all files Pegleg created, but no path has yet been identified for Airship2.
Proposed change
Identify types of files that should have restricted file permissions, some possibilities:
Identify and implement correct file permissions for these files, such as 0640.
Potential impacts
Restricting file permissions may lead to failures with other components. Use of sudo may be needed, or using a common user for these components.
The text was updated successfully, but these errors were encountered: