/var/log should not be root accessible only

Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au>
2025-06-25 22:41:36 +00:00 · 2017-07-21 15:23:02 +10:00 · 2017-07-21 15:23:02 +10:00 · cc58b8c6b2
commit cc58b8c6b2
parent b630bc836b
1 changed files with 9 additions and 2 deletions
--- a/init/init.go
+++ b/init/init.go
@ -384,10 +384,17 @@ func RunInit() error {
 		config.CfgFuncData{"mount OEM2", mountOem},
 		config.CfgFuncData{"write cfg and log files", func(cfg *config.CloudConfig) (*config.CloudConfig, error) {
 			for name, content := range configFiles {
-				if err := os.MkdirAll(filepath.Dir(name), os.ModeDir|0700); err != nil {
+				dirMode := os.ModeDir | 0755
+				fileMode := os.FileMode(0444)
+				if strings.HasPrefix(name, "/var/lib/rancher/conf/") {
+					// only make the conf files harder to get to
+					dirMode = os.ModeDir | 0700
+					fileMode = os.FileMode(0400)
+				}
+				if err := os.MkdirAll(filepath.Dir(name), dirMode); err != nil {
 					log.Error(err)
 				}
-				if err := util.WriteFileAtomic(name, content, 400); err != nil {
+				if err := util.WriteFileAtomic(name, content, fileMode); err != nil {
 					log.Error(err)
 				}
 				log.Infof("Wrote log to %s", name)