Blame SOURCES/bz2144531-fence_virtd-warn-files-not-mode-600.patch

e4b78c
From 3b311a1b069cec59f3d47242282f5d9c67a82e06 Mon Sep 17 00:00:00 2001
e4b78c
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
e4b78c
Date: Mon, 21 Nov 2022 12:33:22 +0100
e4b78c
Subject: [PATCH] fence_virtd: make fence_virtd.conf file mode 600 and fail if
e4b78c
 fence_virtd.conf or key file are not mode 600
e4b78c
e4b78c
---
e4b78c
 agents/virt/config/Makefile.am     |  3 +++
e4b78c
 agents/virt/include/simpleconfig.h |  2 ++
e4b78c
 agents/virt/server/config.c        | 26 ++++++++++++++++++++++++++
e4b78c
 agents/virt/server/main.c          | 16 ++++++++++++++++
e4b78c
 4 files changed, 47 insertions(+)
e4b78c
e4b78c
diff --git a/agents/virt/config/Makefile.am b/agents/virt/config/Makefile.am
e4b78c
index 86d8df415..19d974278 100644
e4b78c
--- a/agents/virt/config/Makefile.am
e4b78c
+++ b/agents/virt/config/Makefile.am
e4b78c
@@ -37,5 +37,8 @@ y.tab.c: config.y
e4b78c
 config.c: y.tab.c config.l
e4b78c
 	$(LEX) -oconfig.c $(srcdir)/config.l
e4b78c
 
e4b78c
+install-exec-hook:
e4b78c
+	chmod 600 $(DESTDIR)$(sysconfdir)/fence_virt.conf
e4b78c
+
e4b78c
 clean-local:
e4b78c
 	rm -f config.tab.c config.tab.h config.c y.tab.c y.tab.h
e4b78c
diff --git a/agents/virt/include/simpleconfig.h b/agents/virt/include/simpleconfig.h
e4b78c
index 83d54377a..6aba85f02 100644
e4b78c
--- a/agents/virt/include/simpleconfig.h
e4b78c
+++ b/agents/virt/include/simpleconfig.h
e4b78c
@@ -49,6 +49,8 @@ config_object_t *sc_init(void);
e4b78c
 /* Frees a previously-allocated copy of our simple config object */
e4b78c
 void sc_release(config_object_t *c);
e4b78c
 
e4b78c
+int check_file_permissions(const char *fname);
e4b78c
+
e4b78c
 int do_configure(config_object_t *config, const char *filename);
e4b78c
 
e4b78c
 #endif
e4b78c
diff -uNr a/agents/virt/server/config.c b/agents/virt/server/config.c
e4b78c
--- a/agents/virt/server/config.c	2021-07-08 13:09:05.000000000 +0200
e4b78c
+++ b/agents/virt/server/config.c	2022-11-22 10:59:09.547919852 +0100
e4b78c
@@ -11,6 +11,7 @@
e4b78c
 #include <fcntl.h>
e4b78c
 #include <net/if.h>
e4b78c
 #include <arpa/inet.h>
e4b78c
+#include <errno.h>
e4b78c
 
e4b78c
 #include "simpleconfig.h"
e4b78c
 #include "static_map.h"
e4b78c
@@ -595,6 +596,31 @@ listener_configure(config_object_t *config)
e4b78c
 }
e4b78c
 
e4b78c
 
e4b78c
+int
e4b78c
+check_file_permissions(const char *fname)
e4b78c
+{
e4b78c
+	struct stat st;
e4b78c
+	mode_t file_perms = 0600;
e4b78c
+	int ret;
e4b78c
+
e4b78c
+	ret = stat(fname, &st);
e4b78c
+	if (ret != 0) {
e4b78c
+		printf("stat failed on file '%s': %s\n",
e4b78c
+			 fname, strerror(errno));
e4b78c
+		return 1;
e4b78c
+	}
e4b78c
+
e4b78c
+	if ((st.st_mode & 0777) != file_perms) {
e4b78c
+		printf("WARNING: invalid permissions on file "
e4b78c
+			 "'%s': has 0%o should be 0%o\n", fname,
e4b78c
+			 (unsigned int)(st.st_mode & 0777),
e4b78c
+			 (unsigned int)file_perms);
e4b78c
+		return 1;
e4b78c
+	}
e4b78c
+
e4b78c
+	return 0;
e4b78c
+}
e4b78c
+
e4b78c
 int
e4b78c
 do_configure(config_object_t *config, const char *config_file)
e4b78c
 {
e4b78c
diff -uNr a/agents/virt/server/main.c b/agents/virt/server/main.c
e4b78c
--- a/agents/virt/server/main.c	2021-07-08 13:09:05.000000000 +0200
e4b78c
+++ b/agents/virt/server/main.c	2022-11-22 10:58:05.894530187 +0100
e4b78c
@@ -14,7 +14,9 @@
e4b78c
 /* Local includes */
e4b78c
 #include "simpleconfig.h"
e4b78c
 #include "static_map.h"
e4b78c
+#include "xvm.h"
e4b78c
 #include "server_plugin.h"
e4b78c
+#include "simple_auth.h"
e4b78c
 #include "debug.h"
e4b78c
 
e4b78c
 /* configure.c */
e4b78c
@@ -203,6 +205,18 @@
e4b78c
 		snprintf(pid_file, PATH_MAX, "/var/run/%s.pid", basename(argv[0]));
e4b78c
 	}
e4b78c
 
e4b78c
+	check_file_permissions(config_file);
e4b78c
+
e4b78c
+	sprintf(val, "listeners/%s/@key_file", listener_name);
e4b78c
+	if (sc_get(config, val,
e4b78c
+		   val, sizeof(val)-1) == 0) {
e4b78c
+		dbg_printf(1, "Got %s for key_file\n", val);
e4b78c
+	} else {
e4b78c
+		snprintf(val, sizeof(val), "%s", DEFAULT_KEY_FILE);
e4b78c
+	}
e4b78c
+
e4b78c
+	check_file_permissions(val);
e4b78c
+
e4b78c
 	openlog(basename(argv[0]), LOG_NDELAY | LOG_PID, LOG_DAEMON);
e4b78c
 
e4b78c
 	daemon_init(basename(argv[0]), pid_file, foreground);