aws-efs-utils/0002-state_file_dir-choose-safe-default-mode-make-mode-co.patch

From 8ea6a3ada710cf833dac549b973d09512bce1b78 Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Wed, 20 Feb 2019 10:32:08 +0100
Subject: [PATCH 2/6] state_file_dir: choose safe default mode, make mode
 configurable

`os.makedirs()` uses default mode 0777 in Python2. Therefore the
protection level of the state_file_dir depends on the inherited umask. A
default mode of 0750 is a good conservative default for this. To allow
admins and system integrators to tune this setting it is configurable
via the new config file setting 'state_file_dir_mode'.
---
 dist/efs-utils.conf       |  2 ++
 src/mount_efs/__init__.py | 16 +++++++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/dist/efs-utils.conf b/dist/efs-utils.conf
index 36e8de0..75d2111 100644
--- a/dist/efs-utils.conf
+++ b/dist/efs-utils.conf
@@ -10,6 +10,8 @@
 logging_level = INFO
 logging_max_bytes = 1048576
 logging_file_count = 10
+# mode for /var/run/efs in octal
+state_file_dir_mode = 750
 
 [mount]
 dns_name_format = {fs_id}.efs.{region}.amazonaws.com
diff --git a/src/mount_efs/__init__.py b/src/mount_efs/__init__.py
index 8b15409..a095ba7 100755
--- a/src/mount_efs/__init__.py
+++ b/src/mount_efs/__init__.py
@@ -387,12 +387,26 @@ def start_watchdog(init_system):
         logging.warning(error_message)
 
 
+def create_state_file_dir(config, state_file_dir):
+    mode = 0o750
+    try:
+        mode_str = config.get(CONFIG_SECTION, 'state_file_dir_mode')
+        try:
+            mode = int(mode_str, 8)
+        except ValueError:
+            logging.warn('Bad state_file_dir_mode "%s" in config file "%s"', mode_str, CONFIG_FILE)
+    except ConfigParser.NoOptionError:
+        pass
+
+    os.makedirs(state_file_dir, mode)
+
+
 @contextmanager
 def bootstrap_tls(config, init_system, dns_name, fs_id, mountpoint, options, state_file_dir=STATE_FILE_DIR):
     start_watchdog(init_system)
 
     if not os.path.exists(state_file_dir):
-        os.makedirs(state_file_dir)
+        create_state_file_dir(config, state_file_dir)
 
     tls_port = choose_tls_port(config)
     options['tlsport'] = tls_port
-- 
2.21.0