diff options
author | James Fargher <jfargher@gitlab.com> | 2023-02-08 00:31:48 +0300 |
---|---|---|
committer | James Fargher <jfargher@gitlab.com> | 2023-02-08 22:50:39 +0300 |
commit | 57128d1963efe62f9e4b39b4ee9a95721c0c0a5f (patch) | |
tree | c73023f7af4172763b76ebbd23a76824c04e64ca | |
parent | 5cf02f580e6eafb00c93631803d9627e6a579e83 (diff) |
Extract constant for the most restricted write-once private files
These files are only written once and must only be read by gitaly.
-rw-r--r-- | internal/git/ssh.go | 5 | ||||
-rw-r--r-- | internal/helper/perm/perm.go | 5 | ||||
-rw-r--r-- | internal/safe/locking_directory.go | 4 | ||||
-rw-r--r-- | internal/safe/locking_file_writer.go | 4 |
4 files changed, 14 insertions, 4 deletions
diff --git a/internal/git/ssh.go b/internal/git/ssh.go index be411576f..93f312597 100644 --- a/internal/git/ssh.go +++ b/internal/git/ssh.go @@ -8,6 +8,7 @@ import ( "strings" "github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus/ctxlogrus" + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" ) // BuildSSHInvocation builds a command line to invoke SSH with the provided key and known hosts. @@ -32,7 +33,7 @@ func BuildSSHInvocation(ctx context.Context, sshKey, knownHosts string) (string, args := []string{sshCommand} if sshKey != "" { sshKeyFile := filepath.Join(tmpDir, "ssh-key") - if err := os.WriteFile(sshKeyFile, []byte(sshKey), 0o400); err != nil { + if err := os.WriteFile(sshKeyFile, []byte(sshKey), perm.PrivateWriteOnceFile); err != nil { cleanup() return "", nil, fmt.Errorf("create ssh key file: %w", err) } @@ -42,7 +43,7 @@ func BuildSSHInvocation(ctx context.Context, sshKey, knownHosts string) (string, if knownHosts != "" { knownHostsFile := filepath.Join(tmpDir, "known-hosts") - if err := os.WriteFile(knownHostsFile, []byte(knownHosts), 0o400); err != nil { + if err := os.WriteFile(knownHostsFile, []byte(knownHosts), perm.PrivateWriteOnceFile); err != nil { cleanup() return "", nil, fmt.Errorf("create known hosts file: %w", err) } diff --git a/internal/helper/perm/perm.go b/internal/helper/perm/perm.go index 2783f284c..869665384 100644 --- a/internal/helper/perm/perm.go +++ b/internal/helper/perm/perm.go @@ -23,6 +23,11 @@ const ( // written outside of gitaly. PublicDir fs.FileMode = 0o777 + // PrivateWriteOnceFile is the most restrictive file permission. Given to + // files that are expected to be written only once and must be read only by + // gitaly. + PrivateWriteOnceFile fs.FileMode = 0o400 + // PrivateFile is the permissions given for a file that must only be used // by gitaly. PrivateFile fs.FileMode = 0o600 diff --git a/internal/safe/locking_directory.go b/internal/safe/locking_directory.go index 2f51e5a8e..c3baa7340 100644 --- a/internal/safe/locking_directory.go +++ b/internal/safe/locking_directory.go @@ -6,6 +6,8 @@ import ( "io/fs" "os" "path/filepath" + + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" ) type lockingDirectoryState int @@ -50,7 +52,7 @@ func (ld *LockingDirectory) Lock() error { return errors.New("locking directory not lockable") } - lock, err := os.OpenFile(ld.lockPath(), os.O_CREATE|os.O_EXCL|os.O_RDONLY, 0o400) + lock, err := os.OpenFile(ld.lockPath(), os.O_CREATE|os.O_EXCL|os.O_RDONLY, perm.PrivateWriteOnceFile) if err != nil { if os.IsExist(err) { return ErrFileAlreadyLocked diff --git a/internal/safe/locking_file_writer.go b/internal/safe/locking_file_writer.go index c43720cbe..bb52de6b2 100644 --- a/internal/safe/locking_file_writer.go +++ b/internal/safe/locking_file_writer.go @@ -5,6 +5,8 @@ import ( "fmt" "io" "os" + + "gitlab.com/gitlab-org/gitaly/v15/internal/helper/perm" ) type lockingFileWriterState int @@ -136,7 +138,7 @@ func (fw *LockingFileWriter) Lock() error { return err } - lock, err := os.OpenFile(fw.lockPath(), os.O_CREATE|os.O_EXCL|os.O_RDONLY, 0o400) + lock, err := os.OpenFile(fw.lockPath(), os.O_CREATE|os.O_EXCL|os.O_RDONLY, perm.PrivateWriteOnceFile) if err != nil { if os.IsExist(err) { return ErrFileAlreadyLocked |