From a4f25ca17b3b9046d77f5e5ef9b6b9043116a875 Mon Sep 17 00:00:00 2001 From: Hunter Trujillo Date: Wed, 9 Jun 2021 16:07:13 -0600 Subject: [PATCH 1/3] Ensure user permissions on libp2p keypair and forest keystore. --- Cargo.lock | 2 ++ forest/src/daemon.rs | 13 ++++++++++--- key_management/Cargo.toml | 1 + key_management/src/keystore.rs | 5 +++++ node/utils/Cargo.toml | 1 + node/utils/src/lib.rs | 13 +++++++++++++ 6 files changed, 32 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 17ee89953137..0cd996a13ff5 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3484,6 +3484,7 @@ dependencies = [ "serde_json", "sodiumoxide", "thiserror", + "utils", ] [[package]] @@ -6836,6 +6837,7 @@ name = "utils" version = "0.1.0" dependencies = [ "dirs", + "libc 0.2.91", "serde", "serde_derive", "toml", diff --git a/forest/src/daemon.rs b/forest/src/daemon.rs index b2627718f270..325d75d33657 100644 --- a/forest/src/daemon.rs +++ b/forest/src/daemon.rs @@ -51,13 +51,20 @@ pub(super) async fn start(config: Config) { let gen_keypair = ed25519::Keypair::generate(); // Save Ed25519 keypair to file // TODO rename old file to keypair.old(?) - if let Err(e) = write_to_file( + match write_to_file( &gen_keypair.encode(), &format!("{}{}", &config.data_dir, "/libp2p/"), "keypair", ) { - info!("Could not write keystore to disk!"); - trace!("Error {:?}", e); + Ok(_) => { + // Restrict permissions on files containing private keys + #[cfg(linux)] + utils::set_user_perm(file)?; + } + Err(e) => { + info!("Could not write keystore to disk!"); + trace!("Error {:?}", e); + } }; Keypair::Ed25519(gen_keypair) }); diff --git a/key_management/Cargo.toml b/key_management/Cargo.toml index 58003a8b830b..dbf87f91cebd 100644 --- a/key_management/Cargo.toml +++ b/key_management/Cargo.toml @@ -21,6 +21,7 @@ serde_json = "1.0.57" serde_cbor = "0.11.1" log = "0.4.8" sodiumoxide = "0.2.6" +utils = { path = "../node/utils" } [features] json = ["base64", "crypto/json"] diff --git a/key_management/src/keystore.rs b/key_management/src/keystore.rs index e81828bee899..d233a728148d 100644 --- a/key_management/src/keystore.rs +++ b/key_management/src/keystore.rs @@ -326,6 +326,11 @@ impl KeyStore { .ok_or_else(|| Error::Other("Invalid Path".to_string()))?; fs::create_dir_all(dir)?; let file = File::create(&persistent_keystore.file_path)?; + + // Restrict permissions on files containing private keys + #[cfg(linux)] + utils::set_user_perm(file)?; + let mut writer = BufWriter::new(file); match &self.encryption { diff --git a/node/utils/Cargo.toml b/node/utils/Cargo.toml index ef09f312cfa8..1b8976baf4b9 100644 --- a/node/utils/Cargo.toml +++ b/node/utils/Cargo.toml @@ -7,6 +7,7 @@ edition = "2018" [dependencies] dirs = "3.0" toml = "0.5.5" +libc = "0.2" serde = "1.0" [dev-dependencies] diff --git a/node/utils/src/lib.rs b/node/utils/src/lib.rs index 52566a6e4558..fb9ce1d28e79 100644 --- a/node/utils/src/lib.rs +++ b/node/utils/src/lib.rs @@ -6,6 +6,19 @@ use std::fs::{create_dir_all, File}; use std::io::{prelude::*, Result}; use std::path::Path; +/// Restricts permissions on a file to user-only: 0600 +#[cfg(linux)] +pub fn set_user_perm(file: File) -> Result<()> { + use std::os::linux::fs::PermissionsExt; + + let mut perm = file.metadata()?.permissions(); + perm.set_mode((libc::S_IWUSR | libc::S_IRUSR) as u32); + file.set_permissions(perm)?; + println!("Permissions on {} set to 600", file); + // log::info!("Permissions on {} set to 600", file); + Ok(()) +} + /// Writes a string to a specified file. Creates the desired path if it does not exist. /// Note: `path` and `filename` are appended to produce the resulting file path. pub fn write_to_file(message: &[u8], path: &str, file_name: &str) -> Result<()> { From 13a2847c07f2178d5a12bb6351b2506a727b9568 Mon Sep 17 00:00:00 2001 From: Hunter Trujillo Date: Wed, 9 Jun 2021 16:32:30 -0600 Subject: [PATCH 2/3] Bug fixes. --- forest/src/daemon.rs | 6 +++--- key_management/src/keystore.rs | 4 ++-- node/utils/src/lib.rs | 12 ++++++------ 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/forest/src/daemon.rs b/forest/src/daemon.rs index 325d75d33657..a9b2bf4dbad0 100644 --- a/forest/src/daemon.rs +++ b/forest/src/daemon.rs @@ -56,10 +56,10 @@ pub(super) async fn start(config: Config) { &format!("{}{}", &config.data_dir, "/libp2p/"), "keypair", ) { - Ok(_) => { + Ok(file) => { // Restrict permissions on files containing private keys - #[cfg(linux)] - utils::set_user_perm(file)?; + #[cfg(unix)] + utils::set_user_perm(&file).expect("Set user perms on unix systems"); } Err(e) => { info!("Could not write keystore to disk!"); diff --git a/key_management/src/keystore.rs b/key_management/src/keystore.rs index d233a728148d..f7f4a50117a2 100644 --- a/key_management/src/keystore.rs +++ b/key_management/src/keystore.rs @@ -328,8 +328,8 @@ impl KeyStore { let file = File::create(&persistent_keystore.file_path)?; // Restrict permissions on files containing private keys - #[cfg(linux)] - utils::set_user_perm(file)?; + #[cfg(unix)] + utils::set_user_perm(&file)?; let mut writer = BufWriter::new(file); diff --git a/node/utils/src/lib.rs b/node/utils/src/lib.rs index fb9ce1d28e79..085bb051a740 100644 --- a/node/utils/src/lib.rs +++ b/node/utils/src/lib.rs @@ -7,27 +7,27 @@ use std::io::{prelude::*, Result}; use std::path::Path; /// Restricts permissions on a file to user-only: 0600 -#[cfg(linux)] -pub fn set_user_perm(file: File) -> Result<()> { - use std::os::linux::fs::PermissionsExt; +#[cfg(unix)] +pub fn set_user_perm(file: &File) -> Result<()> { + use std::os::unix::fs::PermissionsExt; let mut perm = file.metadata()?.permissions(); perm.set_mode((libc::S_IWUSR | libc::S_IRUSR) as u32); file.set_permissions(perm)?; - println!("Permissions on {} set to 600", file); + println!("Permissions on {:?} set to 600", file); // log::info!("Permissions on {} set to 600", file); Ok(()) } /// Writes a string to a specified file. Creates the desired path if it does not exist. /// Note: `path` and `filename` are appended to produce the resulting file path. -pub fn write_to_file(message: &[u8], path: &str, file_name: &str) -> Result<()> { +pub fn write_to_file(message: &[u8], path: &str, file_name: &str) -> Result { // Create path if it doesn't exist create_dir_all(Path::new(path))?; let join = format!("{}{}", path, file_name); let mut file = File::create(join)?; file.write_all(message)?; - Ok(()) + Ok(file) } /// Read file as a `Vec` From e1c9630baf0c22dad7da7dc8d9a5a1d323f7787f Mon Sep 17 00:00:00 2001 From: Hunter Trujillo Date: Wed, 9 Jun 2021 17:23:34 -0600 Subject: [PATCH 3/3] Change println to info. --- Cargo.lock | 1 + node/utils/Cargo.toml | 1 + node/utils/src/lib.rs | 6 ++++-- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 0cd996a13ff5..53ec37ee66d9 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -6838,6 +6838,7 @@ version = "0.1.0" dependencies = [ "dirs", "libc 0.2.91", + "log", "serde", "serde_derive", "toml", diff --git a/node/utils/Cargo.toml b/node/utils/Cargo.toml index 1b8976baf4b9..4b1fa73353fc 100644 --- a/node/utils/Cargo.toml +++ b/node/utils/Cargo.toml @@ -9,6 +9,7 @@ dirs = "3.0" toml = "0.5.5" libc = "0.2" serde = "1.0" +log = "0.4.8" [dev-dependencies] serde_derive = "1.0" diff --git a/node/utils/src/lib.rs b/node/utils/src/lib.rs index 085bb051a740..0a62f34d2d0b 100644 --- a/node/utils/src/lib.rs +++ b/node/utils/src/lib.rs @@ -9,13 +9,15 @@ use std::path::Path; /// Restricts permissions on a file to user-only: 0600 #[cfg(unix)] pub fn set_user_perm(file: &File) -> Result<()> { + use log::info; use std::os::unix::fs::PermissionsExt; let mut perm = file.metadata()?.permissions(); perm.set_mode((libc::S_IWUSR | libc::S_IRUSR) as u32); file.set_permissions(perm)?; - println!("Permissions on {:?} set to 600", file); - // log::info!("Permissions on {} set to 600", file); + + info!("Permissions set to 0600 on {:?}", file); + Ok(()) }