summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-04-12 11:24:45 +0200
committerChristian Poessinger <christian@poessinger.com>2020-04-12 11:24:45 +0200
commite10893227a0acb239daaf0e8a7af3a4e650370ae (patch)
tree24375d3cec59246cf45bb04898365059c45a7b9b
parentcb76acad993760b2467667e1aa42d164db590ad8 (diff)
downloadvyos-1x-e10893227a0acb239daaf0e8a7af3a4e650370ae.tar.gz
vyos-1x-e10893227a0acb239daaf0e8a7af3a4e650370ae.zip
vyos.util: openvpn: migrate to chmod_600()
-rw-r--r--python/vyos/util.py10
-rwxr-xr-xsrc/conf_mode/interfaces-openvpn.py25
2 files changed, 20 insertions, 15 deletions
diff --git a/python/vyos/util.py b/python/vyos/util.py
index 7308dd9b5..000b13025 100644
--- a/python/vyos/util.py
+++ b/python/vyos/util.py
@@ -196,6 +196,16 @@ def chown(path, user, group):
gid = getgrnam(group).gr_gid
os.chown(path, uid, gid)
+
+def chmod_600(path):
+ """ make file only read/writable by owner """
+ from stat import S_IRUSR, S_IWUSR
+
+ if os.path.exists(path):
+ bitmask = S_IRUSR | S_IWUSR
+ os.chmod(path, bitmask)
+
+
def chmod_750(path):
""" make file/directory only executable to user and group """
from stat import S_IRUSR, S_IWUSR, S_IXUSR, S_IRGRP, S_IXGRP
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index b3bc78150..2e8dc0855 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -20,7 +20,6 @@ import re
from jinja2 import FileSystemLoader, Environment
from copy import deepcopy
from sys import exit
-from stat import S_IRUSR
from ipaddress import ip_address,ip_network,IPv4Interface
from netifaces import interfaces
from time import sleep
@@ -29,7 +28,7 @@ from shutil import rmtree
from vyos.config import Config
from vyos.defaults import directories as vyos_data_dir
from vyos.ifconfig import VTunIf
-from vyos.util import call, is_bridge_member, chown, chmod_755
+from vyos.util import call, is_bridge_member, chown, chmod_600, chmod_755
from vyos.validate import is_addr_assigned
from vyos import ConfigError
@@ -107,15 +106,6 @@ def openvpn_mkdir(directory):
chmod_755(directory)
chown(directory, user, group)
-def fixup_permission(filename, permission=S_IRUSR):
- """
- Check if the given file exists and change ownershit to root/vyattacfg
- and appripriate file access permissions - default is user and group readable
- """
- if os.path.isfile(filename):
- os.chmod(filename, permission)
- chown(filename, 'root', 'vyattacfg')
-
def checkCertHeader(header, filename):
"""
Verify if filename contains specified header.
@@ -693,16 +683,17 @@ def generate(openvpn):
openvpn_mkdir(directory + '/ccd/' + interface)
# Fix file permissons for keys
- fixup_permission(openvpn['shared_secret_file'])
- fixup_permission(openvpn['tls_key'])
+ fix_permissions = []
+ fix_permissions.append(openvpn['shared_secret_file'])
+ fix_permissions.append(openvpn['tls_key'])
# Generate User/Password authentication file
if openvpn['auth']:
auth_file = '/tmp/openvpn-{}-pw'.format(interface)
with open(auth_file, 'w') as f:
f.write('{}\n{}'.format(openvpn['auth_user'], openvpn['auth_pass']))
-
- fixup_permission(auth_file)
+ # also change permission on auth file
+ fix_permissions.append(auth_file)
else:
# delete old auth file if present
@@ -727,6 +718,10 @@ def generate(openvpn):
f.write(config_text)
chown(get_config_name(interface), user, group)
+ # Fixup file permissions
+ for file in fix_permissions:
+ chmod_600(file)
+
return None
def apply(openvpn):