Merge pull request #12250 from spzala/automated-cherry-pick-of-#12242…

…-upstream-release-3.4 Automated cherry pick of #12242
etcd-io · Aug 24, 2020 · 781bde7 · 781bde7
2 parents 7cd5872 + d5ebbbc
commit 781bde7
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/Documentation/op-guide/security.md b/Documentation/op-guide/security.md
@@ -431,6 +431,9 @@ No. etcd doesn't encrypt key/value data stored on disk drives. If a user need to
 * Let client applications encrypt and decrypt the data
 * Use a feature of underlying storage systems for encrypting stored data like [dm-crypt]
 
+### I’m seeing a log warning that "directory X exist without recommended permission -rwx------"
+When etcd create certain new directories it sets file permission to 700 to prevent unprivileged access as possible. However, if user has already created a directory with own preference, etcd uses the existing directory and logs a warning message if the permission is different than 700.
+
 [cfssl]: https://github.com/cloudflare/cfssl
 [tls-setup]: ../../hack/tls-setup
 [tls-guide]: https://github.com/coreos/docs/blob/master/os/generate-self-signed-certificates.md

diff --git a/pkg/fileutil/fileutil.go b/pkg/fileutil/fileutil.go
@@ -49,7 +49,7 @@ func TouchDirAll(dir string) error {
 	if Exist(dir) {
 		err := CheckDirPermission(dir, PrivateDirMode)
 		if err != nil {
-			return err
+			plog.Warningf("check file permission: %v", err)
 		}
 	} else {
 		err := os.MkdirAll(dir, PrivateDirMode)
@@ -122,7 +122,7 @@ func CheckDirPermission(dir string, perm os.FileMode) error {
 	}
 	dirMode := dirInfo.Mode().Perm()
 	if dirMode != perm {
-		err = fmt.Errorf("directory %q,%q exist without desired file permission %q.", dir, dirInfo.Mode(), os.FileMode(PrivateDirMode))
+		err = fmt.Errorf("directory %q exist, but the permission is %q. The recommended permission is %q to prevent possible unprivileged access to the data.", dir, dirInfo.Mode(), os.FileMode(PrivateDirMode))
 		return err
 	}
 	return nil