Merge pull request #179 from kairos-io/2057-file-perms

Add config permissions
kairos-io · Dec 6, 2023 · 9d95056 · 9d95056
2 parents 6e1d761 + 3df7742
commit 9d95056
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 8 deletions.
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -145,12 +145,12 @@ func (c Config) WriteInstallState(i *v1.InstallState, statePath, recoveryPath st
 
 	data = append([]byte("# Autogenerated file by elemental client, do not edit\n\n"), data...)
 
-	err = c.Fs.WriteFile(statePath, data, constants.FilePerm)
+	err = c.Fs.WriteFile(statePath, data, constants.ConfigPerm)
 	if err != nil {
 		return err
 	}
 
-	err = c.Fs.WriteFile(recoveryPath, data, constants.FilePerm)
+	err = c.Fs.WriteFile(recoveryPath, data, constants.ConfigPerm)
 	if err != nil {
 		return err
 	}

diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -17,15 +17,16 @@ package config_test
 
 import (
 	"fmt"
+	"path/filepath"
+	"reflect"
+	"strings"
+
 	"github.com/kairos-io/kairos-agent/v2/pkg/constants"
 	v1 "github.com/kairos-io/kairos-agent/v2/pkg/types/v1"
-	"github.com/kairos-io/kairos-agent/v2/pkg/utils/fs"
+	fsutils "github.com/kairos-io/kairos-agent/v2/pkg/utils/fs"
 	v1mocks "github.com/kairos-io/kairos-agent/v2/tests/mocks"
 	"github.com/twpayne/go-vfs"
 	"github.com/twpayne/go-vfs/vfst"
-	"path/filepath"
-	"reflect"
-	"strings"
 
 	. "github.com/kairos-io/kairos-agent/v2/pkg/config"
 	. "github.com/kairos-io/kairos-sdk/schema"
@@ -173,6 +174,12 @@ var _ = Describe("Schema", func() {
 			Expect(err).ShouldNot(HaveOccurred())
 			loadedInstallState, err := config.LoadInstallState()
 			Expect(err).ShouldNot(HaveOccurred())
+			stat, err := fs.Stat(statePath)
+			Expect(err).To(BeNil())
+			Expect(int(stat.Mode().Perm())).To(Equal(constants.ConfigPerm))
+			stat, err = fs.Stat(recoveryPath)
+			Expect(err).To(BeNil())
+			Expect(int(stat.Mode().Perm())).To(Equal(constants.ConfigPerm))
 
 			Expect(*loadedInstallState).To(Equal(*installState))
 		})

diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go
@@ -94,6 +94,7 @@ const (
 	// Default directory and file fileModes
 	DirPerm        = os.ModeDir | os.ModePerm
 	FilePerm       = 0666
+	ConfigPerm     = 0640 // Used for config files that contain secrets or other sensitive data
 	NoWriteDirPerm = 0555 | os.ModeDir
 	TempDirPerm    = os.ModePerm | os.ModeSticky | os.ModeDir
 

diff --git a/pkg/elemental/elemental.go b/pkg/elemental/elemental.go
@@ -401,7 +401,7 @@ func (e *Elemental) CopyCloudConfig(cloudInit []string) (err error) {
 		if err != nil {
 			return err
 		}
-		if err = e.config.Fs.Chmod(customConfig, cnst.FilePerm); err != nil {
+		if err = e.config.Fs.Chmod(customConfig, cnst.ConfigPerm); err != nil {
 			e.config.Logger.Debugf("Error on chmod %s: %s\n", customConfig, err.Error())
 			return err
 		}

diff --git a/pkg/elemental/elemental_test.go b/pkg/elemental/elemental_test.go
@@ -869,9 +869,14 @@ var _ = Describe("Elemental", Label("elemental"), func() {
 
 			err = e.CopyCloudConfig(cloudInit)
 			Expect(err).To(BeNil())
-			copiedFile, err := fs.ReadFile(fmt.Sprintf("%s/90_custom.yaml", cnst.OEMDir))
+			configFilePath := fmt.Sprintf("%s/90_custom.yaml", cnst.OEMDir)
+			copiedFile, err := fs.ReadFile(configFilePath)
 			Expect(err).To(BeNil())
 			Expect(copiedFile).To(ContainSubstring(testString))
+			stat, err := fs.Stat(configFilePath)
+			Expect(err).To(BeNil())
+			Expect(int(stat.Mode().Perm())).To(Equal(cnst.ConfigPerm))
+
 		})
 		It("Doesnt do anything if the config file is not set", func() {
 			err := e.CopyCloudConfig([]string{})