Pull request 2284: AG-32257-file-permission-mitigation
Squashed commit of the following:
commit 6e0e61ec2e95a563b04a622f46c6bbe2b2e12711
Merge: e3cccc01a 5b5b39713
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date: Wed Oct 2 20:51:29 2024 +0300
Merge branch 'master' into AG-32257-file-permission-mitigation
commit e3cccc01a9cbd382cec0fcd7f3685e43acb48424
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date: Wed Oct 2 19:57:32 2024 +0300
dnsforward: imp test
commit 16ecebbc2fd2f4afe2bf475774af1786fa7a02c0
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date: Wed Oct 2 19:22:10 2024 +0300
configmigrate: imp tests
commit da8777c3a7c81e17c0d08cfff4e3a9c8d2bbd649
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date: Wed Oct 2 18:58:46 2024 +0300
all: imp types, tests
commit 58822a0ef8aa2d944a667d1ba77fe23ff52af424
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date: Wed Oct 2 18:28:37 2024 +0300
all: imp chlog
commit 8ce81f918cc5cf43972e2045532a48c829257a2f
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date: Wed Oct 2 18:09:57 2024 +0300
all: improve permissions, add safe_fs_patterns
This commit is contained in:
Ainar Garipov
93
internal/permcheck/migrate.go
Normal file
93
internal/permcheck/migrate.go
Normal file
@@ -0,0 +1,93 @@
|
||||
package permcheck
|
||||
|
||||
import (
|
||||
"io/fs"
|
||||
"os"
|
||||
"path/filepath"
|
||||
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/aghos"
|
||||
"github.com/AdguardTeam/golibs/errors"
|
||||
"github.com/AdguardTeam/golibs/log"
|
||||
)
|
||||
|
||||
// NeedsMigration returns true if AdGuard Home files need permission migration.
|
||||
//
|
||||
// TODO(a.garipov): Consider ways to detect this better.
|
||||
func NeedsMigration(confFilePath string) (ok bool) {
|
||||
s, err := os.Stat(confFilePath)
|
||||
if err != nil {
|
||||
if errors.Is(err, os.ErrNotExist) {
|
||||
// Likely a first run. Don't check.
|
||||
return false
|
||||
}
|
||||
|
||||
log.Error("permcheck: checking if files need migration: %s", err)
|
||||
|
||||
// Unexpected error. Try to migrate just in case.
|
||||
return true
|
||||
}
|
||||
|
||||
return s.Mode().Perm() != aghos.DefaultPermFile
|
||||
}
|
||||
|
||||
// Migrate attempts to change the permissions of AdGuard Home's files. It logs
|
||||
// the results at an appropriate level.
|
||||
func Migrate(workDir, dataDir, statsDir, querylogDir, confFilePath string) {
|
||||
chmodDir(workDir)
|
||||
|
||||
chmodFile(confFilePath)
|
||||
|
||||
// TODO(a.garipov): Put all paths in one place and remove this duplication.
|
||||
chmodDir(dataDir)
|
||||
chmodDir(filepath.Join(dataDir, "filters"))
|
||||
chmodFile(filepath.Join(dataDir, "sessions.db"))
|
||||
chmodFile(filepath.Join(dataDir, "leases.json"))
|
||||
|
||||
if dataDir != querylogDir {
|
||||
chmodDir(querylogDir)
|
||||
}
|
||||
chmodFile(filepath.Join(querylogDir, "querylog.json"))
|
||||
chmodFile(filepath.Join(querylogDir, "querylog.json.1"))
|
||||
|
||||
if dataDir != statsDir {
|
||||
chmodDir(statsDir)
|
||||
}
|
||||
chmodFile(filepath.Join(statsDir, "stats.db"))
|
||||
}
|
||||
|
||||
// chmodDir changes the permissions of a single directory. The results are
|
||||
// logged at the appropriate level.
|
||||
func chmodDir(dirPath string) {
|
||||
chmodPath(dirPath, typeDir, aghos.DefaultPermDir)
|
||||
}
|
||||
|
||||
// chmodFile changes the permissions of a single file. The results are logged
|
||||
// at the appropriate level.
|
||||
func chmodFile(filePath string) {
|
||||
chmodPath(filePath, typeFile, aghos.DefaultPermFile)
|
||||
}
|
||||
|
||||
// chmodPath changes the permissions of a single filesystem entity. The results
|
||||
// are logged at the appropriate level.
|
||||
func chmodPath(entPath, fileType string, fm fs.FileMode) {
|
||||
err := os.Chmod(entPath, fm)
|
||||
if err == nil {
|
||||
log.Info("permcheck: changed permissions for %s %q", fileType, entPath)
|
||||
|
||||
return
|
||||
} else if errors.Is(err, os.ErrNotExist) {
|
||||
log.Debug("permcheck: changing permissions for %s %q: %s", fileType, entPath, err)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
log.Error(
|
||||
"permcheck: SECURITY WARNING: cannot change permissions for %s %q to %#o: %s; "+
|
||||
"this can leave your system vulnerable, see "+
|
||||
"https://adguard-dns.io/kb/adguard-home/running-securely/#os-service-concerns",
|
||||
fileType,
|
||||
entPath,
|
||||
fm,
|
||||
err,
|
||||
)
|
||||
}
|
||||
86
internal/permcheck/permcheck.go
Normal file
86
internal/permcheck/permcheck.go
Normal file
@@ -0,0 +1,86 @@
|
||||
// Package permcheck contains code for simplifying permissions checks on files
|
||||
// and directories.
|
||||
//
|
||||
// TODO(a.garipov): Improve the approach on Windows.
|
||||
package permcheck
|
||||
|
||||
import (
|
||||
"io/fs"
|
||||
"os"
|
||||
"path/filepath"
|
||||
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/aghos"
|
||||
"github.com/AdguardTeam/golibs/errors"
|
||||
"github.com/AdguardTeam/golibs/log"
|
||||
)
|
||||
|
||||
// File type constants for logging.
|
||||
const (
|
||||
typeDir = "directory"
|
||||
typeFile = "file"
|
||||
)
|
||||
|
||||
// Check checks the permissions on important files. It logs the results at
|
||||
// appropriate levels.
|
||||
func Check(workDir, dataDir, statsDir, querylogDir, confFilePath string) {
|
||||
checkDir(workDir)
|
||||
|
||||
checkFile(confFilePath)
|
||||
|
||||
// TODO(a.garipov): Put all paths in one place and remove this duplication.
|
||||
checkDir(dataDir)
|
||||
checkDir(filepath.Join(dataDir, "filters"))
|
||||
checkFile(filepath.Join(dataDir, "sessions.db"))
|
||||
checkFile(filepath.Join(dataDir, "leases.json"))
|
||||
|
||||
if dataDir != querylogDir {
|
||||
checkDir(querylogDir)
|
||||
}
|
||||
checkFile(filepath.Join(querylogDir, "querylog.json"))
|
||||
checkFile(filepath.Join(querylogDir, "querylog.json.1"))
|
||||
|
||||
if dataDir != statsDir {
|
||||
checkDir(statsDir)
|
||||
}
|
||||
checkFile(filepath.Join(statsDir, "stats.db"))
|
||||
}
|
||||
|
||||
// checkDir checks the permissions of a single directory. The results are
|
||||
// logged at the appropriate level.
|
||||
func checkDir(dirPath string) {
|
||||
checkPath(dirPath, typeDir, aghos.DefaultPermDir)
|
||||
}
|
||||
|
||||
// checkFile checks the permissions of a single file. The results are logged at
|
||||
// the appropriate level.
|
||||
func checkFile(filePath string) {
|
||||
checkPath(filePath, typeFile, aghos.DefaultPermFile)
|
||||
}
|
||||
|
||||
// checkPath checks the permissions of a single filesystem entity. The results
|
||||
// are logged at the appropriate level.
|
||||
func checkPath(entPath, fileType string, want fs.FileMode) {
|
||||
s, err := os.Stat(entPath)
|
||||
if err != nil {
|
||||
logFunc := log.Error
|
||||
if errors.Is(err, os.ErrNotExist) {
|
||||
logFunc = log.Debug
|
||||
}
|
||||
|
||||
logFunc("permcheck: checking %s %q: %s", fileType, entPath, err)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// TODO(a.garipov): Add a more fine-grained check and result reporting.
|
||||
perm := s.Mode().Perm()
|
||||
if perm != want {
|
||||
log.Info(
|
||||
"permcheck: SECURITY WARNING: %s %q has unexpected permissions %#o; want %#o",
|
||||
fileType,
|
||||
entPath,
|
||||
perm,
|
||||
want,
|
||||
)
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user