From: Lucas Di Pentima <lucas.dipentima@curii.com>
Date: Thu, 2 Feb 2023 18:16:19 +0000 (-0300)
Subject: 20035: Ensures proper permissions on places where certificate's keys are saved.
X-Git-Tag: 2.6.0~46^2~11
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/ca210064364c6f45db1e2d6a936f21940a3cf03f

20035: Ensures proper permissions on places where certificate's keys are saved.

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima@curii.com>
---

diff --git a/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
index 3b2be59f36..d2345273f5 100644
--- a/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
@@ -10,8 +10,16 @@
 extra_custom_certs_file_directory_certs_dir:
   file.directory:
     - name: /etc/nginx/ssl
+    - user: root
+    - group: root
+    - dir_mode: 0750
+    - file_mode: 0640
     - require:
       - pkg: nginx_install
+    - recurse:
+      - user
+      - group
+      - mode
 
   {%- for cert in certs %}
     {%- set cert_file = 'arvados-' ~ cert ~ '.pem' %}
@@ -25,6 +33,7 @@ extra_custom_certs_file_copy_{{ c }}:
     - force: true
     - user: root
     - group: root
+    - mode: 0640
     - unless: cmp {{ dest_cert_dir }}/{{ c }} {{ orig_cert_dir }}/{{ c }}
     - require:
       - file: extra_custom_certs_file_directory_certs_dir
diff --git a/tools/salt-install/installer.sh b/tools/salt-install/installer.sh
index 0cb4b6e09e..e72786ac08 100755
--- a/tools/salt-install/installer.sh
+++ b/tools/salt-install/installer.sh
@@ -74,11 +74,13 @@ sync() {
 	    # from that.
 
 	    ssh $DEPLOY_USER@$NODE git init --bare ${GITTARGET}.git
+		ssh $DEPLOY_USER@$NODE chmod 700 ${GITTARGET}.git
 	    if ! git remote add $NODE $DEPLOY_USER@$NODE:${GITTARGET}.git ; then
 			git remote set-url $NODE $DEPLOY_USER@$NODE:${GITTARGET}.git
 	    fi
 	    git push $NODE $BRANCH
 	    ssh $DEPLOY_USER@$NODE git clone ${GITTARGET}.git ${GITTARGET}
+		ssh $DEPLOY_USER@$NODE chmod 700 ${GITTARGET}
 	fi
 
 	# The update case.
@@ -108,7 +110,7 @@ deploynode() {
     logfile=deploy-${NODE}-$(date -Iseconds).log
 
     if [[ "$NODE" = localhost ]] ; then
-	SUDO=''
+	    SUDO=''
 	if [[ $(whoami) != 'root' ]] ; then
 	    SUDO=sudo
 	fi
@@ -173,6 +175,7 @@ case "$subcmd" in
 
 	echo "Initializing $SETUPDIR"
 	git init $SETUPDIR
+	chmod 700 $SETUPDIR
 	cp -r *.sh tests $SETUPDIR
 
 	cp local.params.example.$PARAMS $SETUPDIR/${CONFIG_FILE}
diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index 77c2016151..435c56d059 100755
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -142,15 +142,18 @@ copy_custom_cert() {
   cert_name=${2}
 
   mkdir -p /srv/salt/certs
+  chmod 700 /srv/salt/certs
 
   if [ -f ${cert_dir}/${cert_name}.crt ]; then
     cp -v ${cert_dir}/${cert_name}.crt /srv/salt/certs/arvados-${cert_name}.pem
+    chmod 600 /srv/salt/certs/arvados-${cert_name}.pem
   else
     echo "${cert_dir}/${cert_name}.crt does not exist. Exiting"
     exit 1
   fi
   if [ -f ${cert_dir}/${cert_name}.key ]; then
     cp -v ${cert_dir}/${cert_name}.key /srv/salt/certs/arvados-${cert_name}.key
+    chmod 600 /srv/salt/certs/arvados-${cert_name}.key
   else
     echo "${cert_dir}/${cert_name}.key does not exist. Exiting"
     exit 1
@@ -561,9 +564,11 @@ if [ -z "${ROLES}" ]; then
     grep -q "letsencrypt"     ${S_DIR}/top.sls || echo "    - letsencrypt" >> ${S_DIR}/top.sls
   else
     mkdir -p /srv/salt/certs
+    chmod 700 /srv/salt/certs
     if [ "${SSL_MODE}" = "bring-your-own" ]; then
       # Copy certs to formula extra/files
       cp -rv ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/
+      chmod 600 /srv/salt/certs/*
       # We add the custom_certs state
       grep -q "custom_certs"    ${S_DIR}/top.sls || echo "    - extra.custom_certs" >> ${S_DIR}/top.sls
     fi