From 8ea6a3ada710cf833dac549b973d09512bce1b78 Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Wed, 20 Feb 2019 10:32:08 +0100 Subject: [PATCH 2/6] state_file_dir: choose safe default mode, make mode configurable `os.makedirs()` uses default mode 0777 in Python2. Therefore the protection level of the state_file_dir depends on the inherited umask. A default mode of 0750 is a good conservative default for this. To allow admins and system integrators to tune this setting it is configurable via the new config file setting 'state_file_dir_mode'. --- dist/efs-utils.conf | 2 ++ src/mount_efs/__init__.py | 16 +++++++++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/dist/efs-utils.conf b/dist/efs-utils.conf index 36e8de0..75d2111 100644 --- a/dist/efs-utils.conf +++ b/dist/efs-utils.conf @@ -10,6 +10,8 @@ logging_level = INFO logging_max_bytes = 1048576 logging_file_count = 10 +# mode for /var/run/efs in octal +state_file_dir_mode = 750 [mount] dns_name_format = {fs_id}.efs.{region}.amazonaws.com diff --git a/src/mount_efs/__init__.py b/src/mount_efs/__init__.py index 8b15409..a095ba7 100755 --- a/src/mount_efs/__init__.py +++ b/src/mount_efs/__init__.py @@ -387,12 +387,26 @@ def start_watchdog(init_system): logging.warning(error_message) +def create_state_file_dir(config, state_file_dir): + mode = 0o750 + try: + mode_str = config.get(CONFIG_SECTION, 'state_file_dir_mode') + try: + mode = int(mode_str, 8) + except ValueError: + logging.warn('Bad state_file_dir_mode "%s" in config file "%s"', mode_str, CONFIG_FILE) + except ConfigParser.NoOptionError: + pass + + os.makedirs(state_file_dir, mode) + + @contextmanager def bootstrap_tls(config, init_system, dns_name, fs_id, mountpoint, options, state_file_dir=STATE_FILE_DIR): start_watchdog(init_system) if not os.path.exists(state_file_dir): - os.makedirs(state_file_dir) + create_state_file_dir(config, state_file_dir) tls_port = choose_tls_port(config) options['tlsport'] = tls_port -- 2.21.0