search

NethServer / dev

NethServer issue tracker
https://github.com/NethServer/dev/issues
63 stars 20 forks source link

Bad cluster and node state dir permissions #6917

Closed DavidePrincipi closed 1 month ago

DavidePrincipi commented 2 months ago

The directory permissions of cluster and node agent are too wide, compared to the state dir of (similar) rootfull modules. For security reasons, the state/ dirs must be not accessible by non-root users.

Steps to reproduce

Always reproducible

Expected behavior

The state/ dirs of cluster and node agents are not accessible.

Actual behavior

The state/ dirs are world-readable.

[root@rl1 ~]# ls -ld /var/lib/nethserver/*/state
drwxr-xr-x. 3 root root  56 May  2 09:23 /var/lib/nethserver/cluster/state
drwx------. 4 root root 147 May  2 09:45 /var/lib/nethserver/dnsmasq1/state
drwxr-xr-x. 3 root root 116 May  2 08:38 /var/lib/nethserver/node/state

Components

core 2.7.0

DavidePrincipi commented 1 month ago

Test case

  1. check the dirs have the correct permissions after update from core 2.7.0
  2. check the dirs have the correct permissions in a new installation of core 2.8.0-dev.3
stephdl commented 1 month ago

failure with bash +x install.sh ghcr.io/nethserver/core:2.8.0-dev.3

I try : bash +x install.sh ghcr.io/nethserver/core:2.8.0-dev.5

stephdl commented 1 month ago

bash +x install.sh ghcr.io/nethserver/core:2.8.0-dev.6 create-cluster R4-pve.rocky9-pve4.org:55820 10.5.4.0/24 Nethesis,1234

[root@R4-pve ~]# ls -ld /var/lib/nethserver/*/state
drwx------. 2 root root 42 May  7 14:58 /var/lib/nethserver/cluster/state
drwx------. 2 root root 63 May  7 14:58 /var/lib/nethserver/node/state

[root@R4-pve ~]# api-cli run update-core --data '{"core_url":"ghcr.io/nethserver/core:2.8.0-dev.6","nodes":[1]}'
Warning: using user "cluster" credentials from the environment
_acontrol_task request attempt failed (Connection closed by server.). Retrying...
_acontrol_task request recovered successfully at attempt 2
_acontrol_task request attempt failed (Connection closed by server.). Retrying...
_acontrol_task request recovered successfully at attempt 2
<7>run-scriptdir /var/lib/nethserver/cluster/update-core-pre-modules.d/
Running /var/lib/nethserver/cluster/update-core-pre-modules.d/50update_grants...
<7>run-scriptdir /var/lib/nethserver/cluster/update-core-post-modules.d/
""
[root@R4-pve ~]# ls -ld /var/lib/nethserver/*/state
drwx------. 2 root root  42 May  7 14:51 /var/lib/nethserver/cluster/state
drwx------. 3 root root 116 May  7 14:52 /var/lib/nethserver/node/state
DavidePrincipi commented 1 month ago

Sorry there is a mistake, please repeat the test :weary:

In testing 2.8.0-dev.6

stephdl commented 1 month ago

test case 1 and test case 2 verified with ghcr.io/nethserver/core:2.8.0-dev.6

DavidePrincipi commented 1 month ago

Released Core https://github.com/NethServer/ns8-core/releases/tag/2.8.0