Issue 15: update script for hardened environments

[Kazzhar]

Objective: This PR resolves: https://github.com/opentofu/get.opentofu.org/issues/15

When facing a hardened umask (e.g. 0027) the current installation steps aren't sufficient on a Debian family OS. The following extra steps have been mentioned in the website docs:

• sudo chmod /etc/apt/keyrings/opentofu-repo.gpg
• sudo chmod a+r /etc/apt/sources.list.d/opentofu.list Correspondingly, the install script needs to be changed to address these changes.

It seems like the gpg files for both the package and repo are being downloaded, post which the permissions and ownership is changed for both by deb_download_gpg() here in the script. Here is a reference to where this function is invoked: https://github.com/opentofu/get.opentofu.org/blob/main/src/install-opentofu.sh#L430-L437

Changes:

• added a function set_sources_list_permissions to set permissions for the source list file.
• changes to test.sh in tests/linux/ to test for hardened environments (currently for Debian only)

[janosdebugs]

Hey @Kazzhar are there any tests you can add for this change or how can we test that this works for hardened systems?

[Kazzhar]

Hi @janosdebugs, I raised this PR to confirm whether I was headed in the right direction. I can add tests, but I am not sure on how to do that for hardened systems or where these tests could potentially be written. Could you give me a hint that would help me out?

[janosdebugs]

@Kazzhar I believe the original author of the hardened environment points at setting the umask. Other hardened components (e.g. hardened kernel) should have no effect on the process. However, this may need some more research.

[Kazzhar]

I have been experimenting with how we can write tests for this.

I have made a test file, where it checks the permissions for a hardened environment with umask: 0027 as the author of the issue has mentioned.

This means that the default permissions for files would be 640 (rw-r-----). Upon running chmod a+r on any file, the permissions should technically change to : 644 (rw-r--r--).

To test this out, I ran the script on a virtual machine with Debian installed as the OS. Here are screenshots of the outputs: Testing original install script (without my changes):

Testing install script with my changes to the permissions of the opentofu.list file:

I know that this might be a very crude and "not clean" way to test things out for hardened environments, but I was hoping that maybe I can build on this idea to include it, by adding a dockerfile to create a container and run the test? I would like your inputs on this @janosdebugs.

[janosdebugs]

@Kazzhar were you able to modify the tests in the test folder for this?

[Kazzhar]

No, I haven't done that yet. For now I have simply added test_hardened.sh, which I ran manually on a VM. I wanted to show you what I was thinking of before I went ahead and changed the tests, and if you are in favour of this approach I will go ahead and try it out:

I was hoping that maybe I can build on this idea, by add a dockerfile to create a container and run the test? I would like your inputs on this @janosdebugs.

[janosdebugs]

@Kazzhar I'll try to take a look by Monday EoD. If you don't hear from me by then, please ping me again.

[Kazzhar]

@Kazzhar I'll try to take a look by Monday EoD. If you don't hear from me by then, please ping me again.

Hi @janosdebugs , pinging you again =)

[Kazzhar]

What should I be doing with the tests that I tried in this comment?

[janosdebugs]

@Kazzhar we already have tests for the installation scripts and the tests would need to be integrated. These tests are here.

[Kazzhar]

Hi @janosdebugs, about modifying the installer script for other install methods, I see that this issue is still open (the documentation has not been updated with new instructions for hardened environments apart from Debian OS).

Not sure on how to proceed :/

[janosdebugs]

@Kazzhar it's ok if the script only supports Debian for now, but the tests should be integrated into the existing framework.

[Kazzhar]

@janosdebugs I have integrated the tests for debian