fix(install/script): config dir permissions

sensu · Jan 27, 2023 · c39f44e · c39f44e
1 parent 6a27647
commit c39f44e
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 25 deletions.
diff --git a/pkg/scripts_test/check.go b/pkg/scripts_test/check.go
@@ -71,14 +71,22 @@ func checkConfigFilesOwnershipAndPermissions(ownerName string, ownerGroup string
 		etcPathNestedGlob := filepath.Join(etcPath, "*", "*")
 
 		for _, glob := range []string{etcPathGlob, etcPathNestedGlob} {
-			configFiles, err := filepath.Glob(glob)
+			paths, err := filepath.Glob(glob)
 			require.NoError(c.test, err)
-			for _, configFile := range configFiles {
-				PathHasPermissions(c.test, configFile, configPathPermissions)
-				PathHasOwner(c.test, configFile, ownerName, ownerGroup)
+			for _, path := range paths {
+				var permissions uint32
+				info, err := os.Stat(path)
+				require.NoError(c.test, err)
+				if info.IsDir() {
+					permissions = configPathDirPermissions
+				} else {
+					permissions = configPathFilePermissions
+				}
+				PathHasPermissions(c.test, path, permissions)
+				PathHasOwner(c.test, configPath, ownerName, ownerGroup)
 			}
 		}
-		PathHasPermissions(c.test, configPath, configPathPermissions)
+		PathHasPermissions(c.test, configPath, configPathFilePermissions)
 	}
 }
 
@@ -152,7 +160,7 @@ func checkHostmetricsConfigCreated(c check) {
 func checkHostmetricsOwnershipAndPermissions(ownerName string, ownerGroup string) func(c check) {
 	return func(c check) {
 		PathHasOwner(c.test, hostmetricsConfigPath, ownerName, ownerGroup)
-		PathHasPermissions(c.test, hostmetricsConfigPath, configPathPermissions)
+		PathHasPermissions(c.test, hostmetricsConfigPath, configPathFilePermissions)
 	}
 }
 
@@ -173,7 +181,7 @@ func checkSystemdEnvDirExists(c check) {
 }
 
 func checkSystemdEnvDirPermissions(c check) {
-	PathHasPermissions(c.test, etcPath+"/env", configPathPermissions)
+	PathHasPermissions(c.test, etcPath+"/env", configPathDirPermissions)
 }
 
 func checkTags(c check) {
@@ -214,18 +222,18 @@ func preActionMockConfig(c check) {
 	f, err := os.Create(configPath)
 	require.NoError(c.test, err)
 
-	err = f.Chmod(fs.FileMode(configPathPermissions))
+	err = f.Chmod(fs.FileMode(configPathFilePermissions))
 	require.NoError(c.test, err)
 }
 
 func preActionMockUserConfig(c check) {
-	err := os.MkdirAll(confDPath, fs.FileMode(configPathPermissions))
+	err := os.MkdirAll(confDPath, fs.FileMode(configPathDirPermissions))
 	require.NoError(c.test, err)
 
 	f, err := os.Create(userConfigPath)
 	require.NoError(c.test, err)
 
-	err = f.Chmod(fs.FileMode(configPathPermissions))
+	err = f.Chmod(fs.FileMode(configPathFilePermissions))
 	require.NoError(c.test, err)
 }
 

diff --git a/pkg/scripts_test/consts.go b/pkg/scripts_test/consts.go
@@ -1,18 +1,19 @@
 package sumologic_scripts_tests
 
 const (
-	binaryPath            string = "/usr/local/bin/otelcol-sumo"
-	libPath               string = "/var/lib/otelcol-sumo"
-	fileStoragePath       string = libPath + "/file_storage"
-	etcPath               string = "/etc/otelcol-sumo"
-	etcPathPermissions    uint32 = 0444
-	systemdPath           string = "/etc/systemd/system/otelcol-sumo.service"
-	scriptPath            string = "../../scripts/install.sh"
-	configPath            string = etcPath + "/sumologic.yaml"
-	configPathPermissions uint32 = 0440
-	confDPath             string = etcPath + "/conf.d"
-	userConfigPath        string = confDPath + "/common.yaml"
-	hostmetricsConfigPath string = confDPath + "/hostmetrics.yaml"
+	binaryPath                string = "/usr/local/bin/otelcol-sumo"
+	libPath                   string = "/var/lib/otelcol-sumo"
+	fileStoragePath           string = libPath + "/file_storage"
+	etcPath                   string = "/etc/otelcol-sumo"
+	etcPathPermissions        uint32 = 0555
+	systemdPath               string = "/etc/systemd/system/otelcol-sumo.service"
+	scriptPath                string = "../../scripts/install.sh"
+	configPath                string = etcPath + "/sumologic.yaml"
+	configPathFilePermissions uint32 = 0440
+	configPathDirPermissions  uint32 = 0550
+	confDPath                 string = etcPath + "/conf.d"
+	userConfigPath            string = confDPath + "/common.yaml"
+	hostmetricsConfigPath     string = confDPath + "/hostmetrics.yaml"
 
 	systemdDirectoryPath string = "/run/systemd/system"
 

diff --git a/scripts/install.sh b/scripts/install.sh
@@ -592,12 +592,13 @@ function setup_config() {
     fi
 
     echo 'Changing permissions for config files and storage'
-    chmod 444 "${CONFIG_DIRECTORY}"
-    chmod -R 440 "${CONFIG_DIRECTORY}"/*
+    chmod 555 "${CONFIG_DIRECTORY}"
+    chmod -R 440 "${CONFIG_DIRECTORY}"/*  # all files only readable by the owner
+    find "${CONFIG_DIRECTORY}/" -type d -mindepth 1 -exec chmod 550 {} \;  # directories also traversable
     chmod -R 750 "${HOME_DIRECTORY}"
 
     echo 'Changing permissions for user env directory'
-    chmod -R 440 "${USER_ENV_DIRECTORY}"
+    chmod 550 "${USER_ENV_DIRECTORY}"
     chmod g+s "${USER_ENV_DIRECTORY}"
 }