Skip to content

Commit

Permalink
pkg: file stat warning
Browse files Browse the repository at this point in the history
Provide warning and doc instead of enforcing file permission.
  • Loading branch information
spzala committed Aug 20, 2020
1 parent 4b6a0ee commit f3a0ed1
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 1 deletion.
3 changes: 3 additions & 0 deletions Documentation/op-guide/security.md
Original file line number Diff line number Diff line change
Expand Up @@ -431,6 +431,9 @@ No. etcd doesn't encrypt key/value data stored on disk drives. If a user need to
* Let client applications encrypt and decrypt the data
* Use a feature of underlying storage systems for encrypting stored data like [dm-crypt]

### I’m seeing a log warning that "directory X exist without desired file permission -rwx------"
When etcd create certain new directories it sets file permission to 700 to prevent unprivileged access as possible. However, if user has already created a directory with own preference, different than 700, etcd uses the existing directory and logs the warning message.

[cfssl]: https://github.com/cloudflare/cfssl
[tls-setup]: ../../hack/tls-setup
[tls-guide]: https://github.com/coreos/docs/blob/master/os/generate-self-signed-certificates.md
Expand Down
8 changes: 7 additions & 1 deletion pkg/fileutil/fileutil.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ import (
"io/ioutil"
"os"
"path/filepath"

"go.uber.org/zap"
)

const (
Expand All @@ -45,7 +47,11 @@ func TouchDirAll(dir string) error {
if Exist(dir) {
err := CheckDirPermission(dir, PrivateDirMode)
if err != nil {
return err
lg, _ := zap.NewProduction()
if lg == nil {
lg = zap.NewExample()
}
lg.Warn("check file permission", zap.Error(err))
}
} else {
err := os.MkdirAll(dir, PrivateDirMode)
Expand Down

0 comments on commit f3a0ed1

Please sign in to comment.