pkg: file stat warning

Provide warning and doc instead of enforcing file permission.
etcd-io · Aug 20, 2020 · f3a0ed1 · f3a0ed1
1 parent 4b6a0ee
commit f3a0ed1
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/Documentation/op-guide/security.md b/Documentation/op-guide/security.md
@@ -431,6 +431,9 @@ No. etcd doesn't encrypt key/value data stored on disk drives. If a user need to
 * Let client applications encrypt and decrypt the data
 * Use a feature of underlying storage systems for encrypting stored data like [dm-crypt]
 
+### I’m seeing a log warning that "directory X exist without desired file permission -rwx------"
+When etcd create certain new directories it sets file permission to 700 to prevent unprivileged access as possible. However, if user has already created a directory with own preference, different than 700, etcd uses the existing directory and logs the warning message.
+
 [cfssl]: https://github.com/cloudflare/cfssl
 [tls-setup]: ../../hack/tls-setup
 [tls-guide]: https://github.com/coreos/docs/blob/master/os/generate-self-signed-certificates.md

diff --git a/pkg/fileutil/fileutil.go b/pkg/fileutil/fileutil.go
@@ -20,6 +20,8 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+
+	"go.uber.org/zap"
 )
 
 const (
@@ -45,7 +47,11 @@ func TouchDirAll(dir string) error {
 	if Exist(dir) {
 		err := CheckDirPermission(dir, PrivateDirMode)
 		if err != nil {
-			return err
+			lg, _ := zap.NewProduction()
+			if lg == nil {
+				lg = zap.NewExample()
+			}
+			lg.Warn("check file permission", zap.Error(err))
 		}
 	} else {
 		err := os.MkdirAll(dir, PrivateDirMode)