summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2013-07-29 20:38:58 -0700
committerelijah <elijah@riseup.net>2013-07-29 20:38:58 -0700
commite00e5d2b501a0d2727ea84fb1ea3e597e1e37ee4 (patch)
tree92901eec53f76e7bc617e47001977cb1b0b614fe
parent0f92af724ebab6416fc641b57f0a6d43614c25da (diff)
security fix - don't allow leap_cli created files to be world/group readable.
-rw-r--r--lib/leap_cli/commands/vagrant.rb9
-rw-r--r--lib/leap_cli/config/macros.rb4
-rw-r--r--lib/leap_cli/util.rb6
3 files changed, 9 insertions, 10 deletions
diff --git a/lib/leap_cli/commands/vagrant.rb b/lib/leap_cli/commands/vagrant.rb
index 610574d..7720648 100644
--- a/lib/leap_cli/commands/vagrant.rb
+++ b/lib/leap_cli/commands/vagrant.rb
@@ -76,8 +76,7 @@ module LeapCli; module Commands
Util.assert_files_exist! file_path
uid = File.new(file_path).stat.uid
if uid == 0 || uid == Process.euid
- FileUtils.cp file_path, '/tmp/vagrant.key'
- FileUtils.chmod 0600, '/tmp/vagrant.key'
+ FileUtils.install file_path, '/tmp/vagrant.key', :mode => 0600
file_path = '/tmp/vagrant.key'
end
return file_path
@@ -112,7 +111,7 @@ module LeapCli; module Commands
def vagrant_setup
assert_bin! 'vagrant', 'Vagrant is required for running local virtual machines. Run "sudo apt-get install vagrant".'
- version = vagrant_version
+ version = vagrant_version
case version
when 0..1
unless assert_run!('vagrant gem which sahara').chars.any?
@@ -131,7 +130,7 @@ module LeapCli; module Commands
def vagrant_version
minor_version = `vagrant --version|cut -d' ' -f 3 | cut -d'.' -f 2`.to_i
version = case minor_version
- when 1..9 then 2
+ when 1..9 then 2
when 0 then 1
else 0
end
@@ -179,7 +178,7 @@ module LeapCli; module Commands
lines << %[ end]
end
end
- end
+ end
lines << %[end]
lines << ""
diff --git a/lib/leap_cli/config/macros.rb b/lib/leap_cli/config/macros.rb
index b5f6a34..ef3a85e 100644
--- a/lib/leap_cli/config/macros.rb
+++ b/lib/leap_cli/config/macros.rb
@@ -97,8 +97,8 @@ module LeapCli; module Config
# if file is under Path.provider_base, we must copy the default file to
# to Path.provider in order for rsync to be able to sync the file.
local_provider_path = actual_path.sub(/^#{Regexp.escape(Path.provider_base)}/, Path.provider)
- FileUtils.mkdir_p File.dirname(local_provider_path)
- FileUtils.cp_r actual_path, local_provider_path
+ FileUtils.mkdir_p File.dirname(local_provider_path), :mode => 0700
+ FileUtils.install actual_path, local_provider_path, :mode => 0600
Util.log :created, Path.relative_path(local_provider_path)
actual_path = local_provider_path
end
diff --git a/lib/leap_cli/util.rb b/lib/leap_cli/util.rb
index e52c8a1..86a9a14 100644
--- a/lib/leap_cli/util.rb
+++ b/lib/leap_cli/util.rb
@@ -162,7 +162,7 @@ module LeapCli
dir = Path.named_path(dir)
unless File.directory?(dir)
assert_files_missing!(dir, :msg => "Cannot create directory #{dir}")
- FileUtils.mkdir_p(dir)
+ FileUtils.mkdir_p(dir, :mode => 0700)
unless dir =~ /\/$/
dir = dir + '/'
end
@@ -219,7 +219,7 @@ module LeapCli
write_file!(filepath, content)
end
else
- File.open(filepath, File::RDWR|File::CREAT, 0644) do |f|
+ File.open(filepath, File::RDWR|File::CREAT, 0600) do |f|
f.flock(File::LOCK_EX)
old_content = f.read
new_content = yield(old_content)
@@ -286,7 +286,7 @@ module LeapCli
end
end
- File.open(filepath, 'w') do |f|
+ File.open(filepath, 'w', 0600) do |f|
f.write contents
end