Pull request 2312: 7400 Windows permcheck
Updates #7400.
Squashed commit of the following:
commit f50d7c200de545dc6c8ef70b39208f522033fb90
Merge: 47040a14c 37b16bcf7
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date: Tue Dec 3 18:09:23 2024 +0300
Merge branch 'master' into 7400-chown-permcheck
commit 47040a14cd50bf50429f44eba0acdcf736412b61
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date: Tue Dec 3 14:26:43 2024 +0300
permcheck: fix nil entries
commit e1d21c576d75a903b88db3b7beb82348cdcf60c9
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date: Mon Dec 2 15:37:58 2024 +0300
permcheck: fix nil owner
commit b1fc67c4d189293d0aee90c1905f7f387840643b
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date: Fri Nov 29 18:07:15 2024 +0300
permcheck: imp doc
commit 0b6a71326e249f0923e389aa1f6f164b02802a24
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date: Fri Nov 29 17:16:24 2024 +0300
permcheck: imp code
commit 7dfbeda179d0ddb81db54fa4e0dcff189b400215
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date: Fri Nov 29 14:28:17 2024 +0300
permcheck: imp code
commit 3a5b6aced948a2d09fdae823fc986266c9984b3d
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date: Thu Nov 28 19:21:03 2024 +0300
all: imp code, docs
commit c076c9366934303fa8c5909bd13770e367dca72e
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date: Thu Nov 28 15:14:06 2024 +0300
permcheck: imp code, docs
commit 09e4ae1ba12e195454f1db11fa2f5c9e8e170f06
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date: Wed Nov 27 19:19:11 2024 +0300
all: implement windows permcheck
commit b75ed7d4d30e289b8a99e68e6a5e94ab74cf49cb
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date: Mon Nov 25 18:01:47 2024 +0300
all: revert permissions
This commit is contained in:
Eugene Burkov
123
internal/permcheck/security_unix.go
Normal file
123
internal/permcheck/security_unix.go
Normal file
@@ -0,0 +1,123 @@
|
||||
//go:build unix
|
||||
|
||||
package permcheck
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"io/fs"
|
||||
"log/slog"
|
||||
"os"
|
||||
"path/filepath"
|
||||
|
||||
"github.com/AdguardTeam/golibs/container"
|
||||
"github.com/AdguardTeam/golibs/errors"
|
||||
"github.com/AdguardTeam/golibs/logutil/slogutil"
|
||||
)
|
||||
|
||||
// entity is a filesystem entity with a path and a flag indicating whether it is
|
||||
// a directory.
|
||||
type entity = container.KeyValue[string, bool]
|
||||
|
||||
// entities returns a list of filesystem entities that need to be ranged over.
|
||||
//
|
||||
// TODO(a.garipov): Put all paths in one place and remove this duplication.
|
||||
func entities(workDir, dataDir, statsDir, querylogDir, confFilePath string) (ents []entity) {
|
||||
ents = []entity{{
|
||||
Key: workDir,
|
||||
Value: true,
|
||||
}, {
|
||||
Key: confFilePath,
|
||||
Value: false,
|
||||
}, {
|
||||
Key: dataDir,
|
||||
Value: true,
|
||||
}, {
|
||||
Key: filepath.Join(dataDir, "filters"),
|
||||
Value: true,
|
||||
}, {
|
||||
Key: filepath.Join(dataDir, "sessions.db"),
|
||||
Value: false,
|
||||
}, {
|
||||
Key: filepath.Join(dataDir, "leases.json"),
|
||||
Value: false,
|
||||
}}
|
||||
|
||||
if dataDir != querylogDir {
|
||||
ents = append(ents, entity{
|
||||
Key: querylogDir,
|
||||
Value: true,
|
||||
})
|
||||
}
|
||||
ents = append(ents, entity{
|
||||
Key: filepath.Join(querylogDir, "querylog.json"),
|
||||
Value: false,
|
||||
}, entity{
|
||||
Key: filepath.Join(querylogDir, "querylog.json.1"),
|
||||
Value: false,
|
||||
})
|
||||
|
||||
if dataDir != statsDir {
|
||||
ents = append(ents, entity{
|
||||
Key: statsDir,
|
||||
Value: true,
|
||||
})
|
||||
}
|
||||
ents = append(ents, entity{
|
||||
Key: filepath.Join(statsDir, "stats.db"),
|
||||
})
|
||||
|
||||
return ents
|
||||
}
|
||||
|
||||
// checkPath checks the permissions of a single filesystem entity. The results
|
||||
// are logged at the appropriate level.
|
||||
func checkPath(ctx context.Context, l *slog.Logger, entPath string, want fs.FileMode) {
|
||||
l = l.With("path", entPath)
|
||||
|
||||
s, err := os.Stat(entPath)
|
||||
if err != nil {
|
||||
lvl := slog.LevelError
|
||||
if errors.Is(err, os.ErrNotExist) {
|
||||
lvl = slog.LevelDebug
|
||||
}
|
||||
|
||||
l.Log(ctx, lvl, "checking permissions", slogutil.KeyError, err)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// TODO(a.garipov): Add a more fine-grained check and result reporting.
|
||||
perm := s.Mode().Perm()
|
||||
if perm == want {
|
||||
return
|
||||
}
|
||||
|
||||
permOct, wantOct := fmt.Sprintf("%#o", perm), fmt.Sprintf("%#o", want)
|
||||
l.WarnContext(ctx, "found unexpected permissions", "perm", permOct, "want", wantOct)
|
||||
}
|
||||
|
||||
// chmodPath changes the permissions of a single filesystem entity. The results
|
||||
// are logged at the appropriate level.
|
||||
func chmodPath(ctx context.Context, l *slog.Logger, entPath string, fm fs.FileMode) {
|
||||
var lvl slog.Level
|
||||
var msg string
|
||||
args := []any{"path", entPath}
|
||||
|
||||
switch err := os.Chmod(entPath, fm); {
|
||||
case err == nil:
|
||||
lvl = slog.LevelInfo
|
||||
msg = "changed permissions"
|
||||
case errors.Is(err, os.ErrNotExist):
|
||||
lvl = slog.LevelDebug
|
||||
msg = "checking permissions"
|
||||
args = append(args, slogutil.KeyError, err)
|
||||
default:
|
||||
lvl = slog.LevelError
|
||||
msg = "cannot change permissions; this can leave your system vulnerable, see " +
|
||||
"https://adguard-dns.io/kb/adguard-home/running-securely/#os-service-concerns"
|
||||
args = append(args, "target_perm", fmt.Sprintf("%#o", fm), slogutil.KeyError, err)
|
||||
}
|
||||
|
||||
l.Log(ctx, lvl, msg, args...)
|
||||
}
|
||||
Reference in New Issue
Block a user