AdGuardHome/internal/permcheck/security_unix.go

124 lines
3.0 KiB
Go
Raw Permalink Normal View History

Pull request 2312: 7400 Windows permcheck Updates #7400. Squashed commit of the following: commit f50d7c200de545dc6c8ef70b39208f522033fb90 Merge: 47040a14c 37b16bcf7 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Dec 3 18:09:23 2024 +0300 Merge branch 'master' into 7400-chown-permcheck commit 47040a14cd50bf50429f44eba0acdcf736412b61 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Dec 3 14:26:43 2024 +0300 permcheck: fix nil entries commit e1d21c576d75a903b88db3b7beb82348cdcf60c9 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Mon Dec 2 15:37:58 2024 +0300 permcheck: fix nil owner commit b1fc67c4d189293d0aee90c1905f7f387840643b Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Nov 29 18:07:15 2024 +0300 permcheck: imp doc commit 0b6a71326e249f0923e389aa1f6f164b02802a24 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Nov 29 17:16:24 2024 +0300 permcheck: imp code commit 7dfbeda179d0ddb81db54fa4e0dcff189b400215 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Nov 29 14:28:17 2024 +0300 permcheck: imp code commit 3a5b6aced948a2d09fdae823fc986266c9984b3d Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Thu Nov 28 19:21:03 2024 +0300 all: imp code, docs commit c076c9366934303fa8c5909bd13770e367dca72e Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Thu Nov 28 15:14:06 2024 +0300 permcheck: imp code, docs commit 09e4ae1ba12e195454f1db11fa2f5c9e8e170f06 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Nov 27 19:19:11 2024 +0300 all: implement windows permcheck commit b75ed7d4d30e289b8a99e68e6a5e94ab74cf49cb Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Mon Nov 25 18:01:47 2024 +0300 all: revert permissions
2024-12-03 15:26:00 +00:00
//go:build unix
package permcheck
import (
"context"
"fmt"
"io/fs"
"log/slog"
"os"
"path/filepath"
"github.com/AdguardTeam/golibs/container"
"github.com/AdguardTeam/golibs/errors"
"github.com/AdguardTeam/golibs/logutil/slogutil"
)
// entity is a filesystem entity with a path and a flag indicating whether it is
// a directory.
type entity = container.KeyValue[string, bool]
// entities returns a list of filesystem entities that need to be ranged over.
//
// TODO(a.garipov): Put all paths in one place and remove this duplication.
func entities(workDir, dataDir, statsDir, querylogDir, confFilePath string) (ents []entity) {
ents = []entity{{
Key: workDir,
Value: true,
}, {
Key: confFilePath,
Value: false,
}, {
Key: dataDir,
Value: true,
}, {
Key: filepath.Join(dataDir, "filters"),
Value: true,
}, {
Key: filepath.Join(dataDir, "sessions.db"),
Value: false,
}, {
Key: filepath.Join(dataDir, "leases.json"),
Value: false,
}}
if dataDir != querylogDir {
ents = append(ents, entity{
Key: querylogDir,
Value: true,
})
}
ents = append(ents, entity{
Key: filepath.Join(querylogDir, "querylog.json"),
Value: false,
}, entity{
Key: filepath.Join(querylogDir, "querylog.json.1"),
Value: false,
})
if dataDir != statsDir {
ents = append(ents, entity{
Key: statsDir,
Value: true,
})
}
ents = append(ents, entity{
Key: filepath.Join(statsDir, "stats.db"),
})
return ents
}
// checkPath checks the permissions of a single filesystem entity. The results
// are logged at the appropriate level.
func checkPath(ctx context.Context, l *slog.Logger, entPath string, want fs.FileMode) {
l = l.With("path", entPath)
s, err := os.Stat(entPath)
if err != nil {
lvl := slog.LevelError
if errors.Is(err, os.ErrNotExist) {
lvl = slog.LevelDebug
}
l.Log(ctx, lvl, "checking permissions", slogutil.KeyError, err)
return
}
// TODO(a.garipov): Add a more fine-grained check and result reporting.
perm := s.Mode().Perm()
if perm == want {
return
}
permOct, wantOct := fmt.Sprintf("%#o", perm), fmt.Sprintf("%#o", want)
l.WarnContext(ctx, "found unexpected permissions", "perm", permOct, "want", wantOct)
}
// chmodPath changes the permissions of a single filesystem entity. The results
// are logged at the appropriate level.
func chmodPath(ctx context.Context, l *slog.Logger, entPath string, fm fs.FileMode) {
var lvl slog.Level
var msg string
args := []any{"path", entPath}
switch err := os.Chmod(entPath, fm); {
case err == nil:
lvl = slog.LevelInfo
msg = "changed permissions"
case errors.Is(err, os.ErrNotExist):
lvl = slog.LevelDebug
msg = "checking permissions"
args = append(args, slogutil.KeyError, err)
default:
lvl = slog.LevelError
msg = "cannot change permissions; this can leave your system vulnerable, see " +
"https://adguard-dns.io/kb/adguard-home/running-securely/#os-service-concerns"
args = append(args, "target_perm", fmt.Sprintf("%#o", fm), slogutil.KeyError, err)
}
l.Log(ctx, lvl, msg, args...)
}