socket file /var/run/calico/bird.ctl permission "0660" is too large

ShaoLingXie commented 10 months ago

Socket file /var/run/calico/bird.ctl permission "0660" is too large.

Expected Behavior

socket file /var/run/calico/bird.ctl permission is recommended to restrict to "0600" or "0640" .

Current Behavior

The /var/run/calico/bird.ctl file currently has permissions set to 0660, which allows group members to modify it. This creates a potential security vulnerability, as it may be susceptible to tampering by users in the same group.

It is recommended to restrict the permissions on the /var/run/calico/bird.ctl file to 0600 or 0640. This will enhance the security of the file by limiting write access to the owner and group members.

Thanks a lot.

Possible Solution

change permission to "0600" or "0640".

Steps to Reproduce (for bugs)

run bird, and it will create the socket file.

Context

Your Environment

bird version: BIRD version v0.3.3+birdv1.6.8
Operating System and version: CentOS Linux
Link to your project (optional):

MichalFupso commented 10 months ago

@Behnam-Shobiri can you please take a look

anthonytwh commented 10 months ago

@MichalFupso can you test whether 0600 affects the operation of calico and make the change if there are no issues?

Behnam-Shobiri commented 10 months ago

@ShaoLingXie Thanks for creating the issue. @MichalFupso I'm happy to restrict the binaries more, but I think it requires some testing from the Dev team as well as checking with @matthewdupre if we have some features that stop us from doing this. We can try 600 first and if we cannot move to 600, we can test 640 (I don't think group members need to be able to modify the binary).

caseydavenport commented 2 months ago

Fixed here: https://github.com/projectcalico/bird/pull/114

@MichalFupso could you also submit a PR to update the version of BIRD pulled in to the calico repo to make sure this gets picked up?

projectcalico / bird