Defaut config permission too relaxed in deb and rpm packages

[smortex]

After installing the Debian package, all users can read all configuration files:

$ ls -dl /etc/opensearch                    
drwxr-xr-x 9 opensearch opensearch 4096 25 juil. 15:57 /etc/opensearch/
$ ls -l /etc/opensearch/opensearch.yml 
-rw-r--r-- 1 opensearch opensearch 6503 25 juil. 15:57 /etc/opensearch/opensearch.yml
$ ls -dl /etc/opensearch/opensearch-security
drwxr-xr-x 2 opensearch opensearch 4096 25 juil. 15:57 /etc/opensearch/opensearch-security/
$ ls -l /etc/opensearch/opensearch-security 
total 76
-rw-r--r-- 1 opensearch opensearch    50 14 oct.   2022 action_groups.yml
-rw-r--r-- 1 opensearch opensearch  1973 14 oct.   2022 allowlist.yml
-rw-r--r-- 1 opensearch opensearch  2541 14 oct.   2022 audit.yml
-rw-r--r-- 1 opensearch opensearch 10063 14 oct.   2022 config.yml
-rw-r--r-- 1 opensearch opensearch  1689 14 oct.   2022 internal_users.yml
-rw-r--r-- 1 opensearch opensearch   154 14 oct.   2022 nodes_dn.yml
-rw-r--r-- 1 opensearch opensearch 12381 14 oct.   2022 opensearch.yml.example
-rw-r--r-- 1 opensearch opensearch   844 14 oct.   2022 roles_mapping.yml
-rw-r--r-- 1 opensearch opensearch 12649 14 oct.   2022 roles.yml
-rw-r--r-- 1 opensearch opensearch   170 14 oct.   2022 tenants.yml
-rw-r--r-- 1 opensearch opensearch  1973 14 oct.   2022 whitelist.yml

Some of these files contain or can contain sensitive data, for example:

• internal_users.yml contain hashed password;
• config.yml can contain clear-text credential for authentication against an LDAP directory.

Upon initial investigation, this is the result of this chmod on the whole tree of files installed by the package:

opensearch-build/scripts/pkg/build_templates/opensearch/deb/debmake_opensearch_install.sh

Line 44 in b422ae0

chmod -Rf a+rX,u+w,g-w,o-w ${buildroot}/*

It looks like the tarball of OpenSearch has different and more restrictive permissions by default

Filename	Debian package permission	Tarball permission
config (read /etc/opensearch with the Debian package)	755	755
config/opensearch.yml	644	640
config/opensearch-security	755	750
config/opensearch-security/*.yml	644	640

I am opening this issue in order to discuss this packaging issue and fix it. IMHO, the tarball default permissions are better than the Debian ones, but there is still room for improvement such as changing files ownership to root:opensearch in order to prevent a compromised service from rewriting it's configuration (and yes, currently all the files installed by the package are owned by the opensearch user so he can overwrite all the application code, but let's tackle this in another PR).

What do you think?

[smortex]

Cc @peterzhuamazon and @mnin who contributed to the awesome Debian packaging and might have an opinion on this!

[rishabh6788]

Tagging @peterzhuamazon to take a look.

[peterzhuamazon]

Hi @smortex I am currently a bit busy on another project.
But will try to do some digging soon.

I think in the rpm pkg I did something on the spec file for such permissions, but in deb pkg I assume there might have missed something in the user scripts. Thanks.

[etgraylog]

It seems ownership & permission-bits set by the DEB & RPM packages are similar, if not the same. For reference, here they are from OpenSearch 2.9.0-1 RPM package:

[root@localhost /]# cat /etc/system-release; yum list --installed | grep opensearch
CentOS Stream release 8
opensearch.x86_64                     2.9.0-1                             @opensearch-2.x
[root@localhost /]# ls -ld /etc/opensearch
drwxr-sr-x. 9 opensearch opensearch 4096 Aug  9 10:01 /etc/opensearch
[root@localhost /]# ls -l /etc/opensearch/opensearch.yml
-rw-r--r--. 1 opensearch opensearch 6503 Aug  9 10:01 /etc/opensearch/opensearch.yml
[root@localhost /]# ls -dl /etc/opensearch/opensearch-security
drwxr-xr-x. 2 opensearch opensearch 4096 Aug  9 10:00 /etc/opensearch/opensearch-security
[root@localhost /]# ls -l /etc/opensearch/opensearch-security
total 76
-rw-r--r--. 1 opensearch opensearch    50 Jul 18 17:54 action_groups.yml
-rw-r--r--. 1 opensearch opensearch  1973 Jul 18 17:54 allowlist.yml
-rw-r--r--. 1 opensearch opensearch  2541 Jul 18 17:54 audit.yml
-rw-r--r--. 1 opensearch opensearch 10063 Jul 18 17:54 config.yml
-rw-r--r--. 1 opensearch opensearch  1689 Jul 18 17:54 internal_users.yml
-rw-r--r--. 1 opensearch opensearch   154 Jul 18 17:54 nodes_dn.yml
-rw-r--r--. 1 opensearch opensearch 12381 Jul 18 17:54 opensearch.yml.example
-rw-r--r--. 1 opensearch opensearch   844 Jul 18 17:54 roles_mapping.yml
-rw-r--r--. 1 opensearch opensearch 12649 Jul 18 17:54 roles.yml
-rw-r--r--. 1 opensearch opensearch   170 Jul 18 17:54 tenants.yml
-rw-r--r--. 1 opensearch opensearch  1973 Jul 18 17:54 whitelist.yml
[root@localhost /]#

I suppose 3 new lines could be introduced to the build_templates/ opensearch.rpm.spec & postinit to set the same file permission-bits as the Tar-file does? I created PR #3858 to propose these changes.

chown 640 opensearch.opensearch ${config_dir}/opensearch.yml
chown 640 opensearch.opensearch ${config_dir}/opensearch-security
chown 640 opensearch.opensearch ${config_dir}/opensearch-security/*.yml

[mnin]

Hey @smortex,

thank you for the inquiry!

I was looking into this together with @etgraylog.

We checked the DEB and RPM results in the /etc/opensearch directories after successfully installed the packages. We don't saw any differences for the user/group ids and the permissions.

OpenSearch-build is calling the /usr/share/opensearch/plugins/opensearch-security/tools/install_demo_configuration.sh script after the installation via https://github.com/opensearch-project/opensearch-build/blob/main/scripts/pkg/build_templates/opensearch/deb/debian/postinst#L24 (or in the RPM
package https://github.com/opensearch-project/opensearch-build/blob/main/scripts/pkg/build_templates/opensearch/rpm/opensearch.rpm.spec#L96).

This https://github.com/opensearch-project/security/blob/main/tools/install_demo_configuration.sh might be the right place to adjust the file permissions for security related directories and files.

@peterzhuamazon what do you think?