Only allow access to the temporary file for the current user

If the permissions for the targets of atomic writes are specified, k0s should be conservative and not allow the contents of the temporary file to be leaked. Do this by restricting access to the temporary file to the current user. Otherwise, rely on the umask. On Windows, chmod isn't implemented for file descriptors and would just toggle the read-only attribute anyway, so it's useless to try to use it. Signed-off-by: Tom Wieczorek <twieczorek@mirantis.com>
k0sproject · Apr 24, 2024 · 9ab39d1 · 9ab39d1
1 parent 765095e
commit 9ab39d1
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/internal/pkg/file/atomic.go b/internal/pkg/file/atomic.go
@@ -23,6 +23,7 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
+	"runtime"
 )
 
 // The internal options for atomic file writes.
@@ -84,6 +85,26 @@ func (o *AtomicOpener) Open() (f *Atomic, err error) {
 		return nil, err
 	}
 
+	var opened bool
+	defer func() {
+		if !opened {
+			err = errors.Join(err, f.fd.Close(), remove(f.fd))
+		}
+	}()
+
+	// If the target's permissions are specified, k0s should be conservative and
+	// not allow the contents of the temporary file to be leaked. Do this by
+	// restricting access to the temporary file to the current user. Otherwise,
+	// rely on the umask. On Windows, chmod isn't implemented for file
+	// descriptors and would just toggle the read-only attribute anyway, so it's
+	// useless to try to use it.
+	if f.wantsChmod() && runtime.GOOS != "windows" {
+		if err := f.fd.Chmod(0600); err != nil {
+			return nil, err
+		}
+	}
+
+	opened = true
 	return f, nil
 }