CHEF-1098: Habitat installs on hardened systems

- Adds pub set_umask_0022 to core/util/posix/perms - Calls set_umask_0022 in fn main of hab cli binary - Adds 'umask 0022' to hab binary install.sh Signed-off-by: Jason Heath <jh@jasonheath.com>
habitat-sh · Sep 20, 2024 · 7162f15 · 7162f15
1 parent 0193747
commit 7162f15
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 1 deletion.
diff --git a/components/core/src/util/posix_perm.rs b/components/core/src/util/posix_perm.rs
@@ -124,6 +124,11 @@ fn chmod(path: &str, mode: u32) -> Result<c_int> {
     }
 }
 
+/// Sets the umask of the running process to 0022 after its called
+pub fn set_umask_0022() -> Result<u32> { umask(0o22 as mode_t) }
+
+fn umask(mode: mode_t) -> Result<u32> { unsafe { Ok(libc::umask(mode)) } }
+
 #[cfg(test)]
 mod tests {
     use std::{fs::File,
@@ -166,4 +171,34 @@ mod tests {
             }
         }
     }
+
+    #[test]
+    fn exercise_set_umask_0022() {
+
+        // From `man 2 umask` on a Linux box.
+        //
+        //      RETURN VALUE
+        //          This system call always succeeds and the previous value of the mask is returned.
+        //
+        // And from `man 2 umask` on macOS
+        //
+        //      RETURN VALUES
+        //           The previous value of the file mode mask is returned by the call.
+        //
+        //      ERRORS
+        //           The umask() function is always successful.
+        //
+        // Stmts such as these  makes this feel tricky to meaningfully unit test but I'm going to
+        // write one that exercises it anyway.
+
+        // There's no "reasonable" way I've found to get the current umask so I'm just exploiting
+        // what I know about the umask system call to set it so that we have a known umask value.
+        let _ = umask(0o0777).unwrap();
+
+        let known_umask = set_umask_0022().unwrap();
+        let umask_0022 = umask(0o0777).unwrap();
+
+        assert_eq!(known_umask, 0o0777);
+        assert_eq!(umask_0022, 0o0022);
+    }
 }
diff --git a/components/hab/install.sh b/components/hab/install.sh
@@ -1,5 +1,7 @@
 #!/bin/bash
-#
+
+umask 0022
+
 set -eou pipefail
 
 # If the variable `$DEBUG` is set, then print the shell commands as we execute.

diff --git a/components/hab/src/main.rs b/components/hab/src/main.rs
@@ -70,6 +70,7 @@ use habitat_core::{crypto::{init,
                              PackageTarget},
                    service::ServiceGroup,
                    url::default_bldr_url,
+                   util::posix_perm,
                    ChannelIdent};
 use habitat_sup_client::{SrvClient,
                          SrvClientError};
@@ -128,6 +129,13 @@ async fn main() {
     env_logger::init();
     let mut ui = UI::default_with_env();
     let flags = FeatureFlag::from_env(&mut ui);
+
+    #[cfg(not(target_os = "windows"))]
+    if let Err(e) = posix_perm::set_umask_0022() {
+        ui.fatal(e).unwrap();
+        std::process::exit(1);
+    }
+
     if let Err(e) = start(&mut ui, flags).await {
         let exit_code = e.exit_code();
         ui.fatal(e).unwrap();