-
Notifications
You must be signed in to change notification settings - Fork 160
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Audit fixes] FOR-16: Unnecessary Extensive Permissions for Private Keys #1151
Changes from 3 commits
a4f25ca
13a2847
e1c9630
74d904b
754761f
8a1c8b9
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,15 +6,30 @@ use std::fs::{create_dir_all, File}; | |
use std::io::{prelude::*, Result}; | ||
use std::path::Path; | ||
|
||
/// Restricts permissions on a file to user-only: 0600 | ||
#[cfg(unix)] | ||
pub fn set_user_perm(file: &File) -> Result<()> { | ||
use log::info; | ||
use std::os::unix::fs::PermissionsExt; | ||
|
||
let mut perm = file.metadata()?.permissions(); | ||
perm.set_mode((libc::S_IWUSR | libc::S_IRUSR) as u32); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do you think There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think using the mask like C style #defines works fine here. Write | Read looks better than There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It was also what was recommended in the code Sigma Prime linked to in the audit recommendations. |
||
file.set_permissions(perm)?; | ||
|
||
info!("Permissions set to 0600 on {:?}", file); | ||
|
||
Ok(()) | ||
} | ||
|
||
/// Writes a string to a specified file. Creates the desired path if it does not exist. | ||
/// Note: `path` and `filename` are appended to produce the resulting file path. | ||
pub fn write_to_file(message: &[u8], path: &str, file_name: &str) -> Result<()> { | ||
pub fn write_to_file(message: &[u8], path: &str, file_name: &str) -> Result<File> { | ||
// Create path if it doesn't exist | ||
create_dir_all(Path::new(path))?; | ||
let join = format!("{}{}", path, file_name); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. with PathBuf being passed here from [A], this can also be joined with |
||
let mut file = File::create(join)?; | ||
file.write_all(message)?; | ||
Ok(()) | ||
Ok(file) | ||
} | ||
|
||
/// Read file as a `Vec<u8>` | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[A] probably better to use Path::join() with just "libp2p" ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea!