Skip to content

Commit

Permalink
backport of commit 0e8bcc1 (#15783)
Browse files Browse the repository at this point in the history
Co-authored-by: akshya96 <87045294+akshya96@users.noreply.github.com>
  • Loading branch information
1 parent d7a02bb commit 20187f8
Show file tree
Hide file tree
Showing 3 changed files with 56 additions and 1 deletion.
14 changes: 13 additions & 1 deletion builtin/audit/file/backend.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,9 +78,21 @@ func Factory(ctx context.Context, conf *audit.BackendConfig) (audit.Backend, err
if err != nil {
return nil, err
}
if m != 0 {
switch m {
case 0:
// if mode is 0000, then do not modify file mode
if path != "stdout" && path != "discard" {
fileInfo, err := os.Stat(path)
if err != nil {
return nil, err
}
mode = fileInfo.Mode()
}
default:
mode = os.FileMode(m)

}

}

b := &Backend{
Expand Down
40 changes: 40 additions & 0 deletions builtin/audit/file/backend_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,46 @@ func TestAuditFile_fileModeExisting(t *testing.T) {
}
}

func TestAuditFile_fileMode0000(t *testing.T) {
f, err := ioutil.TempFile("", "test")
if err != nil {
t.Fatalf("Failure to create test file. The error is %v", err)
}
defer os.Remove(f.Name())

err = os.Chmod(f.Name(), 0o777)
if err != nil {
t.Fatalf("Failure to chmod temp file for testing. The error is %v", err)
}

err = f.Close()
if err != nil {
t.Fatalf("Failure to close temp file for test. The error is %v", err)
}

config := map[string]string{
"path": f.Name(),
"mode": "0000",
}

_, err = Factory(context.Background(), &audit.BackendConfig{
Config: config,
SaltConfig: &salt.Config{},
SaltView: &logical.InmemStorage{},
})
if err != nil {
t.Fatal(err)
}

info, err := os.Stat(f.Name())
if err != nil {
t.Fatalf("cannot retrieve file mode from `Stat`. The error is %v", err)
}
if info.Mode() != os.FileMode(0o777) {
t.Fatalf("File mode does not match.")
}
}

func BenchmarkAuditFile_request(b *testing.B) {
config := map[string]string{
"path": "/dev/null",
Expand Down
3 changes: 3 additions & 0 deletions changelog/15759.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
core: Prevent changing file permissions of audit logs when mode 0000 is used.
```

0 comments on commit 20187f8

Please sign in to comment.