From 5f81c3005f6d3aeb652a0626c3632ff68b036577 Mon Sep 17 00:00:00 2001 From: Khachatur Ashotyan Date: Thu, 2 Feb 2023 14:52:45 +0400 Subject: [PATCH 1/5] client-go: make generating certificate/key permissions more secure (600) --- staging/src/k8s.io/client-go/util/cert/cert.go | 4 ++-- staging/src/k8s.io/client-go/util/cert/io.go | 8 ++++---- .../client-go/util/certificate/certificate_store.go | 2 +- staging/src/k8s.io/client-go/util/keyutil/key.go | 4 ++-- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/staging/src/k8s.io/client-go/util/cert/cert.go b/staging/src/k8s.io/client-go/util/cert/cert.go index 7196cf8900a..92a44bfed00 100644 --- a/staging/src/k8s.io/client-go/util/cert/cert.go +++ b/staging/src/k8s.io/client-go/util/cert/cert.go @@ -188,10 +188,10 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a } if len(fixtureDirectory) > 0 { - if err := os.WriteFile(certFixturePath, certBuffer.Bytes(), 0644); err != nil { + if err := os.WriteFile(certFixturePath, certBuffer.Bytes(), 0600); err != nil { return nil, nil, fmt.Errorf("failed to write cert fixture to %s: %v", certFixturePath, err) } - if err := os.WriteFile(keyFixturePath, keyBuffer.Bytes(), 0644); err != nil { + if err := os.WriteFile(keyFixturePath, keyBuffer.Bytes(), 0600); err != nil { return nil, nil, fmt.Errorf("failed to write key fixture to %s: %v", certFixturePath, err) } } diff --git a/staging/src/k8s.io/client-go/util/cert/io.go b/staging/src/k8s.io/client-go/util/cert/io.go index a70e5132719..c3c5dca41e1 100644 --- a/staging/src/k8s.io/client-go/util/cert/io.go +++ b/staging/src/k8s.io/client-go/util/cert/io.go @@ -58,14 +58,14 @@ func canReadFile(path string) bool { } // WriteCert writes the pem-encoded certificate data to certPath. -// The certificate file will be created with file mode 0644. +// The certificate file will be created with file mode 000. // If the certificate file already exists, it will be overwritten. -// The parent directory of the certPath will be created as needed with file mode 0755. +// The parent directory of the certPath will be created as needed with file mode 0700. func WriteCert(certPath string, data []byte) error { - if err := os.MkdirAll(filepath.Dir(certPath), os.FileMode(0755)); err != nil { + if err := os.MkdirAll(filepath.Dir(certPath), os.FileMode(0700)); err != nil { return err } - return os.WriteFile(certPath, data, os.FileMode(0644)) + return os.WriteFile(certPath, data, os.FileMode(0600)) } // NewPool returns an x509.CertPool containing the certificates in the given PEM-encoded file. diff --git a/staging/src/k8s.io/client-go/util/certificate/certificate_store.go b/staging/src/k8s.io/client-go/util/certificate/certificate_store.go index e7ed58ee8a3..769b8a500af 100644 --- a/staging/src/k8s.io/client-go/util/certificate/certificate_store.go +++ b/staging/src/k8s.io/client-go/util/certificate/certificate_store.go @@ -188,7 +188,7 @@ func (s *fileStore) Update(certData, keyData []byte) (*tls.Certificate, error) { ts := time.Now().Format("2006-01-02-15-04-05") pemFilename := s.filename(ts) - if err := os.MkdirAll(s.certDirectory, 0755); err != nil { + if err := os.MkdirAll(s.certDirectory, 0700); err != nil { return nil, fmt.Errorf("could not create directory %q to store certificates: %v", s.certDirectory, err) } certPath := filepath.Join(s.certDirectory, pemFilename) diff --git a/staging/src/k8s.io/client-go/util/keyutil/key.go b/staging/src/k8s.io/client-go/util/keyutil/key.go index ecd3e4710fe..b2126ea3838 100644 --- a/staging/src/k8s.io/client-go/util/keyutil/key.go +++ b/staging/src/k8s.io/client-go/util/keyutil/key.go @@ -63,9 +63,9 @@ func MakeEllipticPrivateKeyPEM() ([]byte, error) { // WriteKey writes the pem-encoded key data to keyPath. // The key file will be created with file mode 0600. // If the key file already exists, it will be overwritten. -// The parent directory of the keyPath will be created as needed with file mode 0755. +// The parent directory of the keyPath will be created as needed with file mode 0700. func WriteKey(keyPath string, data []byte) error { - if err := os.MkdirAll(filepath.Dir(keyPath), os.FileMode(0755)); err != nil { + if err := os.MkdirAll(filepath.Dir(keyPath), os.FileMode(0700)); err != nil { return err } return os.WriteFile(keyPath, data, os.FileMode(0600)) From fd17dcf3876458229ac15d426eb1bd58f8c52cb4 Mon Sep 17 00:00:00 2001 From: Khachatur Ashotyan Date: Fri, 3 Feb 2023 13:40:33 +0400 Subject: [PATCH 2/5] fix: comment about permission bits --- staging/src/k8s.io/client-go/util/cert/io.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/staging/src/k8s.io/client-go/util/cert/io.go b/staging/src/k8s.io/client-go/util/cert/io.go index c3c5dca41e1..b4f6daf1854 100644 --- a/staging/src/k8s.io/client-go/util/cert/io.go +++ b/staging/src/k8s.io/client-go/util/cert/io.go @@ -58,7 +58,7 @@ func canReadFile(path string) bool { } // WriteCert writes the pem-encoded certificate data to certPath. -// The certificate file will be created with file mode 000. +// The certificate file will be created with file mode 0600. // If the certificate file already exists, it will be overwritten. // The parent directory of the certPath will be created as needed with file mode 0700. func WriteCert(certPath string, data []byte) error { From c941877438c2219318b0625f5b4e321efe324171 Mon Sep 17 00:00:00 2001 From: Khachatur Ashotyan Date: Fri, 17 Feb 2023 11:16:46 +0400 Subject: [PATCH 3/5] client-go: change permissions of directories and certs --- staging/src/k8s.io/client-go/util/cert/cert.go | 2 +- staging/src/k8s.io/client-go/util/cert/io.go | 8 ++++---- .../client-go/util/certificate/certificate_store.go | 2 +- staging/src/k8s.io/client-go/util/keyutil/key.go | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/staging/src/k8s.io/client-go/util/cert/cert.go b/staging/src/k8s.io/client-go/util/cert/cert.go index 92a44bfed00..95bec5d0b8e 100644 --- a/staging/src/k8s.io/client-go/util/cert/cert.go +++ b/staging/src/k8s.io/client-go/util/cert/cert.go @@ -191,7 +191,7 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a if err := os.WriteFile(certFixturePath, certBuffer.Bytes(), 0600); err != nil { return nil, nil, fmt.Errorf("failed to write cert fixture to %s: %v", certFixturePath, err) } - if err := os.WriteFile(keyFixturePath, keyBuffer.Bytes(), 0600); err != nil { + if err := os.WriteFile(keyFixturePath, keyBuffer.Bytes(), 0644); err != nil { return nil, nil, fmt.Errorf("failed to write key fixture to %s: %v", certFixturePath, err) } } diff --git a/staging/src/k8s.io/client-go/util/cert/io.go b/staging/src/k8s.io/client-go/util/cert/io.go index b4f6daf1854..a70e5132719 100644 --- a/staging/src/k8s.io/client-go/util/cert/io.go +++ b/staging/src/k8s.io/client-go/util/cert/io.go @@ -58,14 +58,14 @@ func canReadFile(path string) bool { } // WriteCert writes the pem-encoded certificate data to certPath. -// The certificate file will be created with file mode 0600. +// The certificate file will be created with file mode 0644. // If the certificate file already exists, it will be overwritten. -// The parent directory of the certPath will be created as needed with file mode 0700. +// The parent directory of the certPath will be created as needed with file mode 0755. func WriteCert(certPath string, data []byte) error { - if err := os.MkdirAll(filepath.Dir(certPath), os.FileMode(0700)); err != nil { + if err := os.MkdirAll(filepath.Dir(certPath), os.FileMode(0755)); err != nil { return err } - return os.WriteFile(certPath, data, os.FileMode(0600)) + return os.WriteFile(certPath, data, os.FileMode(0644)) } // NewPool returns an x509.CertPool containing the certificates in the given PEM-encoded file. diff --git a/staging/src/k8s.io/client-go/util/certificate/certificate_store.go b/staging/src/k8s.io/client-go/util/certificate/certificate_store.go index 769b8a500af..e7ed58ee8a3 100644 --- a/staging/src/k8s.io/client-go/util/certificate/certificate_store.go +++ b/staging/src/k8s.io/client-go/util/certificate/certificate_store.go @@ -188,7 +188,7 @@ func (s *fileStore) Update(certData, keyData []byte) (*tls.Certificate, error) { ts := time.Now().Format("2006-01-02-15-04-05") pemFilename := s.filename(ts) - if err := os.MkdirAll(s.certDirectory, 0700); err != nil { + if err := os.MkdirAll(s.certDirectory, 0755); err != nil { return nil, fmt.Errorf("could not create directory %q to store certificates: %v", s.certDirectory, err) } certPath := filepath.Join(s.certDirectory, pemFilename) diff --git a/staging/src/k8s.io/client-go/util/keyutil/key.go b/staging/src/k8s.io/client-go/util/keyutil/key.go index b2126ea3838..ecd3e4710fe 100644 --- a/staging/src/k8s.io/client-go/util/keyutil/key.go +++ b/staging/src/k8s.io/client-go/util/keyutil/key.go @@ -63,9 +63,9 @@ func MakeEllipticPrivateKeyPEM() ([]byte, error) { // WriteKey writes the pem-encoded key data to keyPath. // The key file will be created with file mode 0600. // If the key file already exists, it will be overwritten. -// The parent directory of the keyPath will be created as needed with file mode 0700. +// The parent directory of the keyPath will be created as needed with file mode 0755. func WriteKey(keyPath string, data []byte) error { - if err := os.MkdirAll(filepath.Dir(keyPath), os.FileMode(0700)); err != nil { + if err := os.MkdirAll(filepath.Dir(keyPath), os.FileMode(0755)); err != nil { return err } return os.WriteFile(keyPath, data, os.FileMode(0600)) From 3cc99c5e77185ce26fd2d5513336e7229c5f7441 Mon Sep 17 00:00:00 2001 From: Khachatur Ashotyan Date: Fri, 17 Feb 2023 11:20:39 +0400 Subject: [PATCH 4/5] client-go: change permissions of GenerateSelfSignedCertKeyWithFixtures generated cert --- staging/src/k8s.io/client-go/util/cert/cert.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/staging/src/k8s.io/client-go/util/cert/cert.go b/staging/src/k8s.io/client-go/util/cert/cert.go index 95bec5d0b8e..7196cf8900a 100644 --- a/staging/src/k8s.io/client-go/util/cert/cert.go +++ b/staging/src/k8s.io/client-go/util/cert/cert.go @@ -188,7 +188,7 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a } if len(fixtureDirectory) > 0 { - if err := os.WriteFile(certFixturePath, certBuffer.Bytes(), 0600); err != nil { + if err := os.WriteFile(certFixturePath, certBuffer.Bytes(), 0644); err != nil { return nil, nil, fmt.Errorf("failed to write cert fixture to %s: %v", certFixturePath, err) } if err := os.WriteFile(keyFixturePath, keyBuffer.Bytes(), 0644); err != nil { From 49af62e64f33317ec0c12f9ed8ab8a0d4f365d44 Mon Sep 17 00:00:00 2001 From: Khachatur Ashotyan Date: Fri, 17 Feb 2023 14:21:24 +0400 Subject: [PATCH 5/5] client-go: change permissions of key --- staging/src/k8s.io/client-go/util/cert/cert.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/staging/src/k8s.io/client-go/util/cert/cert.go b/staging/src/k8s.io/client-go/util/cert/cert.go index 7196cf8900a..4be1dfe4935 100644 --- a/staging/src/k8s.io/client-go/util/cert/cert.go +++ b/staging/src/k8s.io/client-go/util/cert/cert.go @@ -191,7 +191,7 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a if err := os.WriteFile(certFixturePath, certBuffer.Bytes(), 0644); err != nil { return nil, nil, fmt.Errorf("failed to write cert fixture to %s: %v", certFixturePath, err) } - if err := os.WriteFile(keyFixturePath, keyBuffer.Bytes(), 0644); err != nil { + if err := os.WriteFile(keyFixturePath, keyBuffer.Bytes(), 0600); err != nil { return nil, nil, fmt.Errorf("failed to write key fixture to %s: %v", certFixturePath, err) } }