Merge pull request #49 from SUNET/john-permissions-fix
Enforce more strict permissions for files in Cosmos
This commit is contained in:
commit
443611dd3f
|
@ -17,7 +17,7 @@ if test -f /root/.ssh/authorized_keys; then
|
|||
if test `stat -t /root/.ssh/authorized_keys | cut -d\ -f5` != 0; then
|
||||
chown root.root /root/.ssh/authorized_keys
|
||||
fi
|
||||
if test `stat --printf=%a /root/.ssh/authorized_keys` != 600; then
|
||||
chmod 600 /root/.ssh/authorized_keys
|
||||
if test `stat --printf=%a /root/.ssh/authorized_keys` != 440; then
|
||||
chmod 440 /root/.ssh/authorized_keys
|
||||
fi
|
||||
fi
|
||||
|
|
24
global/post-tasks.d/014set-cosmos-permissions
Executable file
24
global/post-tasks.d/014set-cosmos-permissions
Executable file
|
@ -0,0 +1,24 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Set Cosmos directory permissions so that
|
||||
# the files cannot be read by anyone but root,
|
||||
# since it's possible that the directory
|
||||
# can contain files that after applying the
|
||||
# overlay to / only should be read or writable
|
||||
# by root.
|
||||
|
||||
set -e
|
||||
self=$(basename "$0")
|
||||
|
||||
if ! test -d "$COSMOS_BASE"; then
|
||||
test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
args=""
|
||||
if [ "x$COSMOS_VERBOSE" = "xy" ]; then
|
||||
args="-v"
|
||||
fi
|
||||
|
||||
chown ${args} root:root "$COSMOS_BASE"
|
||||
chmod ${args} 750 "$COSMOS_BASE"
|
24
global/pre-tasks.d/014set-cosmos-permissions
Executable file
24
global/pre-tasks.d/014set-cosmos-permissions
Executable file
|
@ -0,0 +1,24 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Set Cosmos directory permissions so that
|
||||
# the files cannot be read by anyone but root,
|
||||
# since it's possible that the directory
|
||||
# can contain files that after applying the
|
||||
# overlay to / only should be read or writable
|
||||
# by root.
|
||||
|
||||
set -e
|
||||
self=$(basename "$0")
|
||||
|
||||
if ! test -d "$COSMOS_BASE"; then
|
||||
test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
args=""
|
||||
if [ "x$COSMOS_VERBOSE" = "xy" ]; then
|
||||
args="-v"
|
||||
fi
|
||||
|
||||
chown ${args} root:root "$COSMOS_BASE"
|
||||
chmod ${args} 750 "$COSMOS_BASE"
|
|
@ -14,10 +14,17 @@ if ! test -d "$MODEL_OVERLAY"; then
|
|||
exit 0
|
||||
fi
|
||||
|
||||
args=""
|
||||
if [ "x$COSMOS_VERBOSE" = "xy" ]; then
|
||||
args="-v"
|
||||
fi
|
||||
|
||||
if [ -d "$MODEL_OVERLAY/root" ]; then
|
||||
args=""
|
||||
if [ "x$COSMOS_VERBOSE" = "xy" ]; then
|
||||
args="-v"
|
||||
fi
|
||||
chown ${args} root:root "$MODEL_OVERLAY"/root
|
||||
chmod ${args} 0700 "$MODEL_OVERLAY"/root
|
||||
fi
|
||||
|
||||
if [ -d "$MODEL_OVERLAY/root/.ssh" ]; then
|
||||
chown ${args} -R root:root "$MODEL_OVERLAY"/root/.ssh
|
||||
chmod ${args} 0700 "$MODEL_OVERLAY"/root/.ssh
|
||||
fi
|
||||
|
|
Loading…
Reference in a new issue