Skip to content

Commit

Permalink
Merge pull request #49 from SUNET/john-permissions-fix
Browse files Browse the repository at this point in the history 
Enforce more strict permissions for files in Cosmos
  • Loading branch information
@eest
eest committed Jul 3, 2024
2 parents 5518048 + 8d4ce2d commit 443611d
Show file tree
Hide file tree
Showing 4 changed files with 61 additions and 6 deletions.
4 changes: 2 additions & 2 deletions global/post-tasks.d/010fix-ssh-perms
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ if test -f /root/.ssh/authorized_keys; then
if test `stat -t /root/.ssh/authorized_keys | cut -d\ -f5` != 0; then
chown root.root /root/.ssh/authorized_keys
fi
if test `stat --printf=%a /root/.ssh/authorized_keys` != 600; then
chmod 600 /root/.ssh/authorized_keys
if test `stat --printf=%a /root/.ssh/authorized_keys` != 440; then
chmod 440 /root/.ssh/authorized_keys
fi
fi
24 changes: 24 additions & 0 deletions global/post-tasks.d/014set-cosmos-permissions
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/bin/sh
#
# Set Cosmos directory permissions so that
# the files cannot be read by anyone but root,
# since it's possible that the directory
# can contain files that after applying the
# overlay to / only should be read or writable
# by root.

set -e
self=$(basename "$0")

if ! test -d "$COSMOS_BASE"; then
test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions."
exit 0
fi

args=""
if [ "x$COSMOS_VERBOSE" = "xy" ]; then
args="-v"
fi

chown ${args} root:root "$COSMOS_BASE"
chmod ${args} 750 "$COSMOS_BASE"
24 changes: 24 additions & 0 deletions global/pre-tasks.d/014set-cosmos-permissions
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/bin/sh
#
# Set Cosmos directory permissions so that
# the files cannot be read by anyone but root,
# since it's possible that the directory
# can contain files that after applying the
# overlay to / only should be read or writable
# by root.

set -e
self=$(basename "$0")

if ! test -d "$COSMOS_BASE"; then
test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions."
exit 0
fi

args=""
if [ "x$COSMOS_VERBOSE" = "xy" ]; then
args="-v"
fi

chown ${args} root:root "$COSMOS_BASE"
chmod ${args} 750 "$COSMOS_BASE"
15 changes: 11 additions & 4 deletions global/pre-tasks.d/015set-overlay-permissions
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,17 @@ if ! test -d "$MODEL_OVERLAY"; then
exit 0
fi

args=""
if [ "x$COSMOS_VERBOSE" = "xy" ]; then
args="-v"
fi

if [ -d "$MODEL_OVERLAY/root" ]; then
args=""
if [ "x$COSMOS_VERBOSE" = "xy" ]; then
args="-v"
fi
chown ${args} root:root "$MODEL_OVERLAY"/root
chmod ${args} 0700 "$MODEL_OVERLAY"/root
fi

if [ -d "$MODEL_OVERLAY/root/.ssh" ]; then
chown ${args} -R root:root "$MODEL_OVERLAY"/root/.ssh
chmod ${args} 0700 "$MODEL_OVERLAY"/root/.ssh
fi

0 comments on commit 443611d

Please sign in to comment.