Fix config permissions on the config directory and the config file

[blag]

Fixes #4144.

This ensures that we create the config directory and file with the proper permissions.

It also tweaks the st2 login command to check the permissions on the config file (~/.st2/config) and directory (~/.st2) every time it is run, and then automatically fix permissions if they are too permissive. It does use the warnings module to warn the user about this, but does not give them a chance to opt out or turn the behavior off.

Automatically fixing the directory/file permissions assumes that there is no good reason for a process owned by another user or group to need read access to the config file. That is a very large assumption, so I'm inviting discussion about that.

The options are:

1. simply "warn the user" into fixing the config permissions, but not automatically fix it ourselves
2. use environment variables or command line flags to control warnings and automatic fixing behavior
3. warn the user and automatically fix it ourselves all the time
4. fix it automatically without warning

I have chosen option 3 here.

[arm4b]

Can we also set setgid for the config dir? 2770,

see #4144 and StackStorm/packer-st2#38 why

[blag]

Yes, I'll do this.

I assume we also want the setuid bit set, right? 0o6770?

Edit: Nope, nevermind: https://en.wikipedia.org/wiki/Setuid#When_set_on_a_directory

[arm4b]

I don't have any opinions about the setuid, since I didn't see that bit having effect on dir.
If you believe it can help in some use cases, - I'm good with adding it.

[blag]

Nope, I don't think it's helpful.

Fixed.

[arm4b]

My vote goes in favor of:

1. simply "warn the user" into fixing the config permissions, but not automatically fix it ourselves

Create config dir and files with safe permissions and don't try to change them after that.

Curious what others think.

[arm4b]

To fix the entire story, need also to take care about the StackStorm/st2-packages#558 (StackStorm/st2-packages#520 might help with it)

[Kami]

I agree with @armab, I also think 1) is better (user might have a (valid) use case to change the permissions after the fact and we probably shouldn't mess with the permissions after the initial set up, but should definitely warn in case of unsafe permissions).

[Kami]

Instead of using warnings module we should probably use logger.warn since we also use logging in other places for such things.

This way it uses the existing framework and setting log level, etc works as expected (e.g. user wants to suppress warnings and only see messages with level ERROR and above).

[Kami]

Can you please add a changelog entry?

Besides that, LGTM 👍

[arm4b]

I don't think it's a best to warn user about the absence of SGID bit.
It's a workaround that'll help creating file names with the same group under the config dir, but not really that much security-related.

Besides of that minor comment, looks good to me too 👍

[arm4b]

Just a reminder to not forget to set setguid bit before merging. Can't find it anywhere, except of tests.

[blag]

Fixed, please re-review when you have time.

[arm4b]

Makes sense in dir conext 👍

[arm4b]

Wouldn't this always try to chmod cached token file?
I think we previously agreed to do chmod operations only on initial file creation.

[blag]

Yes it would, but as far as I can tell, it's only run when the file is initially created.

[arm4b]

Alright, thanks for explaining 👍

[arm4b]

Same here. I think we previously agreed to set file permissions only on creation and don't try chmod afterwards.

[arm4b]

For the LOG.info message level, do you know/can you check where will it show while running st2 commands?

[blag]

That depends ~~greatly on the configuration file itself~ on the --debug flag, but the info level is not output to stdout or stderr by default:

>>> import logging
>>> logger = logging.getLogger("_")
>>> logger.info("Hello World!")
>>> 

[arm4b]

Thanks for verifying that 👍

[arm4b]

I tried the packages produced from this PR and got the following error:

vagrant@stackstorm:~$ st2 login -w st2admin
Password: 
Failed to log in as st2admin: chmod() takes no keyword arguments

[arm4b]

Also squashing all commits history in 1 during review makes it harder to follow the history, code diff from the most recent look and overall commenting.
If you prefer, - it's still possible to do squash during the merge as a last step.

[Kami]

Can we get this resolved / finished today and merged in time for v2.8.0?

[arm4b]

I can confirm that previous commit fixes st2client.config_parser issue.

There is a new edge case, warning messages are duplicated:

$ st2 action list
2018-06-22 17:41:48,953  WARNING - The StackStorm configuration directory permissions are insecure (too permissive).

You can fix this by running:

chmod 770 /home/vagrant/.st2
2018-06-22 17:41:48,954  WARNING - The StackStorm configuration file permissions are insecure.

You can fix this by running:

chmod 660 /home/vagrant/.st2/config
2018-06-22 17:41:48,955  WARNING - The StackStorm configuration directory permissions are insecure (too permissive).

You can fix this by running:

chmod 770 /home/vagrant/.st2
2018-06-22 17:41:48,957  WARNING - The StackStorm configuration file permissions are insecure.

You can fix this by running:

chmod 660 /home/vagrant/.st2/config
2018-06-22 17:41:48,959  WARNING - Permissions (0664) for cached token file "/home/vagrant/.st2/token-st2admin" are to permissive. Please restrict the permissions and make sure only your own user can read from the file

To reproduce:

chmod -R o+r ~/.st2
st2 action list

[arm4b]

NIT: To include the PR #number in the CHANGELOG.

[arm4b]

NIT: I think that's too many new lines here which makes it pretty inconsistent with existing stackstorm warning messages by taking a lot of space. Example:

vagrant@stackstorm:~$ st2 action list
2018-06-26 14:50:42,463  WARNING - The StackStorm configuration directory permissions are insecure (too permissive).

You can fix this by running:

    chmod 770 /home/vagrant/.st2

2018-06-26 14:50:42,463  WARNING - The StackStorm configuration file permissions are insecure.

You can fix this by running:

    chmod 660 /home/vagrant/.st2/config

2018-06-26 14:50:42,463  WARNING - Permissions (0664) for cached token file "/home/vagrant/.st2/token-st2admin" are too permissive. Please restrict the permissions and make sure only your own user can read from or write to the file.

You can fix this by running:

    chmod o-rw /home/vagrant/.st2/token-st2admin

[Kami]

Small nitpick - In some places in the log messages we use numerical permission levels and in other we use symbolic notation.

It's probably a good idea to unify it and use numerical / symbolic everywhere :)

[blag]

I'll simply remove the help text. I just usually like to give users some idea of how to fix a problem, which requires readable formatting, but it might not be the best for log messages.

The octal vs symbolic issue is more than just a notation difference, it's a functional one. The octal notation sets the permissions for the user, group, and "others", but the symbolic notation here performs operations on the permissions for just "others" and leaves the bits for the user and group intact.

[arm4b]

Thanks for fixing all the corner cases. LGTM now 👍

Just left a couple of very minor non-blocking comments, if you'd prefer to further improve it for consistency.

[Kami]

Probably a good idea to get this merged today so we can include it in v2.8.0.

Those non-blockers mentioned above can be fixed / improved later.

[blag]

Warnings and tests are turned off in #4215 (41769824b51aa19edb786a9e7e4b7f91b16f65d7 and e16a59ac029926f63fa1eb507653f19fef18f4c7).