From e00e5d2b501a0d2727ea84fb1ea3e597e1e37ee4 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 29 Jul 2013 20:38:58 -0700 Subject: security fix - don't allow leap_cli created files to be world/group readable. --- lib/leap_cli/commands/vagrant.rb | 9 ++++----- lib/leap_cli/config/macros.rb | 4 ++-- lib/leap_cli/util.rb | 6 +++--- 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/lib/leap_cli/commands/vagrant.rb b/lib/leap_cli/commands/vagrant.rb index 610574d..7720648 100644 --- a/lib/leap_cli/commands/vagrant.rb +++ b/lib/leap_cli/commands/vagrant.rb @@ -76,8 +76,7 @@ module LeapCli; module Commands Util.assert_files_exist! file_path uid = File.new(file_path).stat.uid if uid == 0 || uid == Process.euid - FileUtils.cp file_path, '/tmp/vagrant.key' - FileUtils.chmod 0600, '/tmp/vagrant.key' + FileUtils.install file_path, '/tmp/vagrant.key', :mode => 0600 file_path = '/tmp/vagrant.key' end return file_path @@ -112,7 +111,7 @@ module LeapCli; module Commands def vagrant_setup assert_bin! 'vagrant', 'Vagrant is required for running local virtual machines. Run "sudo apt-get install vagrant".' - version = vagrant_version + version = vagrant_version case version when 0..1 unless assert_run!('vagrant gem which sahara').chars.any? @@ -131,7 +130,7 @@ module LeapCli; module Commands def vagrant_version minor_version = `vagrant --version|cut -d' ' -f 3 | cut -d'.' -f 2`.to_i version = case minor_version - when 1..9 then 2 + when 1..9 then 2 when 0 then 1 else 0 end @@ -179,7 +178,7 @@ module LeapCli; module Commands lines << %[ end] end end - end + end lines << %[end] lines << "" diff --git a/lib/leap_cli/config/macros.rb b/lib/leap_cli/config/macros.rb index b5f6a34..ef3a85e 100644 --- a/lib/leap_cli/config/macros.rb +++ b/lib/leap_cli/config/macros.rb @@ -97,8 +97,8 @@ module LeapCli; module Config # if file is under Path.provider_base, we must copy the default file to # to Path.provider in order for rsync to be able to sync the file. local_provider_path = actual_path.sub(/^#{Regexp.escape(Path.provider_base)}/, Path.provider) - FileUtils.mkdir_p File.dirname(local_provider_path) - FileUtils.cp_r actual_path, local_provider_path + FileUtils.mkdir_p File.dirname(local_provider_path), :mode => 0700 + FileUtils.install actual_path, local_provider_path, :mode => 0600 Util.log :created, Path.relative_path(local_provider_path) actual_path = local_provider_path end diff --git a/lib/leap_cli/util.rb b/lib/leap_cli/util.rb index e52c8a1..86a9a14 100644 --- a/lib/leap_cli/util.rb +++ b/lib/leap_cli/util.rb @@ -162,7 +162,7 @@ module LeapCli dir = Path.named_path(dir) unless File.directory?(dir) assert_files_missing!(dir, :msg => "Cannot create directory #{dir}") - FileUtils.mkdir_p(dir) + FileUtils.mkdir_p(dir, :mode => 0700) unless dir =~ /\/$/ dir = dir + '/' end @@ -219,7 +219,7 @@ module LeapCli write_file!(filepath, content) end else - File.open(filepath, File::RDWR|File::CREAT, 0644) do |f| + File.open(filepath, File::RDWR|File::CREAT, 0600) do |f| f.flock(File::LOCK_EX) old_content = f.read new_content = yield(old_content) @@ -286,7 +286,7 @@ module LeapCli end end - File.open(filepath, 'w') do |f| + File.open(filepath, 'w', 0600) do |f| f.write contents end -- cgit v1.2.3