Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce more strict permissions for files in Cosmos #49

Merged
merged 3 commits into from
Jul 3, 2024
Merged

Enforce more strict permissions for files in Cosmos #49

merged 3 commits into from
Jul 3, 2024

Conversation

Gijutsu
Copy link
Member

@Gijutsu Gijutsu commented Nov 17, 2023

This is a merge of various stricter permissions for Cosmos that were identified to be needed when setting up the locked down Tor signing OPS repo to avoid information leakage and possible unauthorized modification by unprivileged users.

The main issue is to restrict access to $COSMOS_BASE at the earliest stage possible to avoid race conditions, during which information could be leaked or modifications made.
Permissions for sensitive files and directories such as /root and /root/.ssh in the overlay are checked separately. A fix is also included to apply the same permission for /root/.ssh/authorized_keys that Puppet applies through sunet::ssh_keys to avoid changing permissions on each run of Cosmos and Puppet.

@Gijutsu
Set same permissions for /root/.ssh/authorized_keys
ca353ed 
in post-tasks.d/010fix-ssh-perms as is done by
Puppet with sunet::ssh_keys.
@Gijutsu
Make sure that /root in overlay is owned by root
75e566a 
as well as that /root/.ssh and its content is
only owned and readable by root. This is redundant
if the previous permissions were properly applied
and no other changes have been made by the user
or something else, but is added for good measure
as a layered defense.
@Gijutsu
Make sure that COSMOS_BASE is only readable
8d4ce2d 
by root since it's possible that the directory
can contain files that after applying the
overlay to / only should be read or writable
by root.
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Nov 17, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

theseal
theseal approved these changes Jul 3, 2024
View reviewed changes
Copy link

@theseal theseal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

eest
eest approved these changes Jul 3, 2024
View reviewed changes
Copy link

@eest eest left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@eest
Copy link

eest commented Jul 3, 2024

also 👍 from @mickenordin

@eest eest merged commit 443611d into main Jul 3, 2024
4 checks passed
@eest eest deleted the john-permissions-fix branch July 3, 2024 09:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eest eest eest approved these changes

@theseal theseal theseal approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Gijutsu @eest @theseal