set the permissions for /var/lib/rancher/conf to 0700

Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au>
2025-07-04 10:36:14 +00:00 · 2017-03-13 17:17:15 +10:00 · 2017-03-13 17:17:15 +10:00 · 27f11ec6c2
commit 27f11ec6c2
parent 63c3d57993
6 changed files with 13 additions and 4 deletions
--- a/cmd/control/install.go
+++ b/cmd/control/install.go
@ -562,7 +562,7 @@ func seedData(baseName, cloudData string, files []string) error {
 		return err
 	}

-	if err = os.MkdirAll(filepath.Join(baseName, "/var/lib/rancher/conf/cloud-config.d"), 0755); err != nil {
+	if err = os.MkdirAll(filepath.Join(baseName, "/var/lib/rancher/conf/cloud-config.d"), 0700); err != nil {
 		return err
 	}

--- a/config/cloudinit/datasource/configdrive/configdrive.go
+++ b/config/cloudinit/datasource/configdrive/configdrive.go
@ -147,7 +147,7 @@ func (cd *ConfigDrive) tryReadFile(filename string) ([]byte, error) {
 }

 func MountConfigDrive() error {
-	if err := os.MkdirAll(configDevMountPoint, 644); err != nil {
+	if err := os.MkdirAll(configDevMountPoint, 700); err != nil {
 		return err
 	}

--- a/config/disk.go
+++ b/config/disk.go
@ -220,7 +220,7 @@ func WriteToFile(data interface{}, filename string) error {
 		return err
 	}

-	if err := os.MkdirAll(filepath.Dir(filename), os.ModeDir|0755); err != nil {
+	if err := os.MkdirAll(filepath.Dir(filename), os.ModeDir|0700); err != nil {
 		return err
 	}

--- a/config/types.go
+++ b/config/types.go
@ -38,6 +38,7 @@ const (
 	System            = "system"

 	OsConfigFile           = "/usr/share/ros/os-config.yml"
+	VarRancherDir          = "/var/lib/rancher"
 	CloudConfigDir         = "/var/lib/rancher/conf/cloud-config.d"
 	CloudConfigBootFile    = "/var/lib/rancher/conf/cloud-config.d/boot.yml"
 	CloudConfigNetworkFile = "/var/lib/rancher/conf/cloud-config.d/network.yml"
--- a/init/init.go
+++ b/init/init.go
@ -330,13 +330,19 @@ func RunInit() error {
 		mountOem,
 		func(cfg *config.CloudConfig) (*config.CloudConfig, error) {
 			for name, content := range configFiles {
-				if err := os.MkdirAll(filepath.Dir(name), os.ModeDir|0755); err != nil {
+				if err := os.MkdirAll(filepath.Dir(name), os.ModeDir|0700); err != nil {
 					log.Error(err)
 				}
 				if err := util.WriteFileAtomic(name, content, 400); err != nil {
 					log.Error(err)
 				}
 			}
+			if err := os.MkdirAll(config.VarRancherDir, os.ModeDir|0755); err != nil {
+				log.Error(err)
+			}
+			if err := os.Chmod(config.VarRancherDir, os.ModeDir|0755); err != nil {
+				log.Error(err)
+			}
 			return cfg, nil
 		},
 		func(cfg *config.CloudConfig) (*config.CloudConfig, error) {
--- a/tests/network_test.go
+++ b/tests/network_test.go
@ -55,6 +55,8 @@ func (s *QemuSuite) TestNetworkCfg(c *C) {
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    inet XX.XX.XX.XX/24 brd 10.0.2.255 scope global eth0
+       valid_lft forever preferred_lft forever
    inet 10.1.0.41/24 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 XX::XX:XX:XX:XX/64 scope link