From e10893227a0acb239daaf0e8a7af3a4e650370ae Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 12 Apr 2020 11:24:45 +0200 Subject: vyos.util: openvpn: migrate to chmod_600() --- python/vyos/util.py | 10 ++++++++++ src/conf_mode/interfaces-openvpn.py | 25 ++++++++++--------------- 2 files changed, 20 insertions(+), 15 deletions(-) diff --git a/python/vyos/util.py b/python/vyos/util.py index 7308dd9b5..000b13025 100644 --- a/python/vyos/util.py +++ b/python/vyos/util.py @@ -196,6 +196,16 @@ def chown(path, user, group): gid = getgrnam(group).gr_gid os.chown(path, uid, gid) + +def chmod_600(path): + """ make file only read/writable by owner """ + from stat import S_IRUSR, S_IWUSR + + if os.path.exists(path): + bitmask = S_IRUSR | S_IWUSR + os.chmod(path, bitmask) + + def chmod_750(path): """ make file/directory only executable to user and group """ from stat import S_IRUSR, S_IWUSR, S_IXUSR, S_IRGRP, S_IXGRP diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index b3bc78150..2e8dc0855 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -20,7 +20,6 @@ import re from jinja2 import FileSystemLoader, Environment from copy import deepcopy from sys import exit -from stat import S_IRUSR from ipaddress import ip_address,ip_network,IPv4Interface from netifaces import interfaces from time import sleep @@ -29,7 +28,7 @@ from shutil import rmtree from vyos.config import Config from vyos.defaults import directories as vyos_data_dir from vyos.ifconfig import VTunIf -from vyos.util import call, is_bridge_member, chown, chmod_755 +from vyos.util import call, is_bridge_member, chown, chmod_600, chmod_755 from vyos.validate import is_addr_assigned from vyos import ConfigError @@ -107,15 +106,6 @@ def openvpn_mkdir(directory): chmod_755(directory) chown(directory, user, group) -def fixup_permission(filename, permission=S_IRUSR): - """ - Check if the given file exists and change ownershit to root/vyattacfg - and appripriate file access permissions - default is user and group readable - """ - if os.path.isfile(filename): - os.chmod(filename, permission) - chown(filename, 'root', 'vyattacfg') - def checkCertHeader(header, filename): """ Verify if filename contains specified header. @@ -693,16 +683,17 @@ def generate(openvpn): openvpn_mkdir(directory + '/ccd/' + interface) # Fix file permissons for keys - fixup_permission(openvpn['shared_secret_file']) - fixup_permission(openvpn['tls_key']) + fix_permissions = [] + fix_permissions.append(openvpn['shared_secret_file']) + fix_permissions.append(openvpn['tls_key']) # Generate User/Password authentication file if openvpn['auth']: auth_file = '/tmp/openvpn-{}-pw'.format(interface) with open(auth_file, 'w') as f: f.write('{}\n{}'.format(openvpn['auth_user'], openvpn['auth_pass'])) - - fixup_permission(auth_file) + # also change permission on auth file + fix_permissions.append(auth_file) else: # delete old auth file if present @@ -727,6 +718,10 @@ def generate(openvpn): f.write(config_text) chown(get_config_name(interface), user, group) + # Fixup file permissions + for file in fix_permissions: + chmod_600(file) + return None def apply(openvpn): -- cgit v1.2.3