From 2468fb59395e04f5f06ab14e64834a4c1ae46984 Mon Sep 17 00:00:00 2001 From: Stan Lagun Date: Wed, 22 Nov 2017 02:00:41 -0800 Subject: [PATCH] Tighten access to runtime agent folders Murano Agent uses default folder permissions for the execution plans and scripts. If the default is too permissive (which is unusual), other users on that machine can trick the agent to execute malicious execution plans by putting files into queue folder and use it to get the root privileges. In most common sense users won't have write permissions to murano-agent folders. However, they can hijack execution plans and other data that might contain sensitive information. This commit sets 0700 mode to the agent runtime folders so that they can be accessed only by the user that runs the agent (+ the root, if it's someone else). Change-Id: I27f0495a509c4d1435d630e2bc5bfdf3549486d5 --- muranoagent/execution_plan_queue.py | 7 ++++++- muranoagent/files_manager.py | 2 +- muranoagent/tests/unit/test_app.py | 3 ++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/muranoagent/execution_plan_queue.py b/muranoagent/execution_plan_queue.py index 058c655f..9a019155 100644 --- a/muranoagent/execution_plan_queue.py +++ b/muranoagent/execution_plan_queue.py @@ -32,7 +32,12 @@ class ExecutionPlanQueue(object): def __init__(self): self._plans_folder = os.path.join(CONF.storage, 'plans') if not os.path.exists(self._plans_folder): - os.makedirs(self._plans_folder) + os.makedirs(self._plans_folder, 0o700) + else: + try: + os.chmod(self._plans_folder, 0o700) + except OSError: + pass def put_execution_plan(self, execution_plan): timestamp = str(int(time.time() * 10000)) diff --git a/muranoagent/files_manager.py b/muranoagent/files_manager.py index 234eef8e..84d935fc 100644 --- a/muranoagent/files_manager.py +++ b/muranoagent/files_manager.py @@ -40,7 +40,7 @@ class FilesManager(object): CONF.storage, 'files', execution_plan.ID) if os.path.exists(self._cache_folder): self.clear() - os.makedirs(self._cache_folder) + os.makedirs(self._cache_folder, 0o700) def put_file(self, file_id, script): if type(file_id) is dict: diff --git a/muranoagent/tests/unit/test_app.py b/muranoagent/tests/unit/test_app.py index d8707281..6d4260ce 100644 --- a/muranoagent/tests/unit/test_app.py +++ b/muranoagent/tests/unit/test_app.py @@ -31,8 +31,9 @@ CONF = cfg.CONF class TestApp(base.MuranoAgentTestCase, fixtures.FunctionFixture): + @mock.patch('os.chmod') @mock.patch('os.path.exists') - def setUp(self, mock_path): + def setUp(self, mock_path, mock_chmod): super(TestApp, self).setUp() mock_path.return_value = True self.agent = app.MuranoAgent()