Tighten access to runtime agent folders
Murano Agent uses default folder permissions for the execution plans and scripts. If the default is too permissive (which is unusual), other users on that machine can trick the agent to execute malicious execution plans by putting files into queue folder and use it to get the root privileges. In most common sense users won't have write permissions to murano-agent folders. However, they can hijack execution plans and other data that might contain sensitive information. This commit sets 0700 mode to the agent runtime folders so that they can be accessed only by the user that runs the agent (+ the root, if it's someone else). Change-Id: I27f0495a509c4d1435d630e2bc5bfdf3549486d5
This commit is contained in:
parent
81335ac520
commit
2468fb5939
|
@ -32,7 +32,12 @@ class ExecutionPlanQueue(object):
|
|||
def __init__(self):
|
||||
self._plans_folder = os.path.join(CONF.storage, 'plans')
|
||||
if not os.path.exists(self._plans_folder):
|
||||
os.makedirs(self._plans_folder)
|
||||
os.makedirs(self._plans_folder, 0o700)
|
||||
else:
|
||||
try:
|
||||
os.chmod(self._plans_folder, 0o700)
|
||||
except OSError:
|
||||
pass
|
||||
|
||||
def put_execution_plan(self, execution_plan):
|
||||
timestamp = str(int(time.time() * 10000))
|
||||
|
|
|
@ -40,7 +40,7 @@ class FilesManager(object):
|
|||
CONF.storage, 'files', execution_plan.ID)
|
||||
if os.path.exists(self._cache_folder):
|
||||
self.clear()
|
||||
os.makedirs(self._cache_folder)
|
||||
os.makedirs(self._cache_folder, 0o700)
|
||||
|
||||
def put_file(self, file_id, script):
|
||||
if type(file_id) is dict:
|
||||
|
|
|
@ -31,8 +31,9 @@ CONF = cfg.CONF
|
|||
|
||||
class TestApp(base.MuranoAgentTestCase, fixtures.FunctionFixture):
|
||||
|
||||
@mock.patch('os.chmod')
|
||||
@mock.patch('os.path.exists')
|
||||
def setUp(self, mock_path):
|
||||
def setUp(self, mock_path, mock_chmod):
|
||||
super(TestApp, self).setUp()
|
||||
mock_path.return_value = True
|
||||
self.agent = app.MuranoAgent()
|
||||
|
|
Loading…
Reference in New Issue