20035: Ensures proper permissions on places where certificate's keys are saved.

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima@curii.com>

diff --git a/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
index 3b2be59f368c353793bec874b9cf9dae1adde896..d2345273f50ee517f23a4600b3825461b80c879a 100644 (file)
--- a/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
@@ -10,8 +10,16 @@
 extra_custom_certs_file_directory_certs_dir:
   file.directory:
     - name: /etc/nginx/ssl
+    - user: root
+    - group: root
+    - dir_mode: 0750
+    - file_mode: 0640
     - require:
       - pkg: nginx_install
+    - recurse:
+      - user
+      - group
+      - mode
 
   {%- for cert in certs %}
     {%- set cert_file = 'arvados-' ~ cert ~ '.pem' %}
@@ -25,6 +33,7 @@ extra_custom_certs_file_copy_{{ c }}:
     - force: true
     - user: root
     - group: root
+    - mode: 0640
     - unless: cmp {{ dest_cert_dir }}/{{ c }} {{ orig_cert_dir }}/{{ c }}
     - require:
       - file: extra_custom_certs_file_directory_certs_dir

diff --git a/tools/salt-install/installer.sh b/tools/salt-install/installer.sh
index 0cb4b6e09e9c57ca8131dafa2a7e8d45e990cc3d..e72786ac08d2c156bfad195c5ff47e636fe39d41 100755 (executable)
--- a/tools/salt-install/installer.sh
+++ b/tools/salt-install/installer.sh
@@ -74,11 +74,13 @@ sync() {
            # from that.
 
            ssh $DEPLOY_USER@$NODE git init --bare ${GITTARGET}.git
+               ssh $DEPLOY_USER@$NODE chmod 700 ${GITTARGET}.git
            if ! git remote add $NODE $DEPLOY_USER@$NODE:${GITTARGET}.git ; then
                        git remote set-url $NODE $DEPLOY_USER@$NODE:${GITTARGET}.git
            fi
            git push $NODE $BRANCH
            ssh $DEPLOY_USER@$NODE git clone ${GITTARGET}.git ${GITTARGET}
+               ssh $DEPLOY_USER@$NODE chmod 700 ${GITTARGET}
        fi
 
        # The update case.
@@ -108,7 +110,7 @@ deploynode() {
     logfile=deploy-${NODE}-$(date -Iseconds).log
 
     if [[ "$NODE" = localhost ]] ; then
-       SUDO=''
+           SUDO=''
        if [[ $(whoami) != 'root' ]] ; then
            SUDO=sudo
        fi
@@ -173,6 +175,7 @@ case "$subcmd" in
 
        echo "Initializing $SETUPDIR"
        git init $SETUPDIR
+       chmod 700 $SETUPDIR
        cp -r *.sh tests $SETUPDIR
 
        cp local.params.example.$PARAMS $SETUPDIR/${CONFIG_FILE}

diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index 77c20161513193c099867ddecc7dc51d3960235f..435c56d0591e2828cba65d4b529590b40d7495bc 100755 (executable)
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -142,15 +142,18 @@ copy_custom_cert() {
   cert_name=${2}
 
   mkdir -p /srv/salt/certs
+  chmod 700 /srv/salt/certs
 
   if [ -f ${cert_dir}/${cert_name}.crt ]; then
     cp -v ${cert_dir}/${cert_name}.crt /srv/salt/certs/arvados-${cert_name}.pem
+    chmod 600 /srv/salt/certs/arvados-${cert_name}.pem
   else
     echo "${cert_dir}/${cert_name}.crt does not exist. Exiting"
     exit 1
   fi
   if [ -f ${cert_dir}/${cert_name}.key ]; then
     cp -v ${cert_dir}/${cert_name}.key /srv/salt/certs/arvados-${cert_name}.key
+    chmod 600 /srv/salt/certs/arvados-${cert_name}.key
   else
     echo "${cert_dir}/${cert_name}.key does not exist. Exiting"
     exit 1
@@ -561,9 +564,11 @@ if [ -z "${ROLES}" ]; then
     grep -q "letsencrypt"     ${S_DIR}/top.sls || echo "    - letsencrypt" >> ${S_DIR}/top.sls
   else
     mkdir -p /srv/salt/certs
+    chmod 700 /srv/salt/certs
     if [ "${SSL_MODE}" = "bring-your-own" ]; then
       # Copy certs to formula extra/files
       cp -rv ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/
+      chmod 600 /srv/salt/certs/*
       # We add the custom_certs state
       grep -q "custom_certs"    ${S_DIR}/top.sls || echo "    - extra.custom_certs" >> ${S_DIR}/top.sls
     fi