From e748816f5427a894344df5a4246d6fc47e212592 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 11 May 2020 12:04:52 -0500 Subject: [PATCH 1/2] LMDB files are now created with correct permissions and group ownership When run as privileged user LMDB files will be created with system group matching MPF body perms system_owned(). When un-privileged, no change in group will be made. In both cases permissions will be 0600 as expected by MPF cfe_internal/enterprise/CFE_knowledge.cf. Ticket: ENT-5986 Changelog: Title --- libpromises/conversion.c | 3 +-- libpromises/dbm_lmdb.c | 38 +++++++++++++++++++++++++++++++++++++- libutils/definitions.h | 11 +++++++++++ tests/load/Makefile.am | 2 +- tests/unit/Makefile.am | 2 +- 5 files changed, 51 insertions(+), 5 deletions(-) diff --git a/libpromises/conversion.c b/libpromises/conversion.c index f812ca491a..eb11fcb838 100644 --- a/libpromises/conversion.c +++ b/libpromises/conversion.c @@ -1190,10 +1190,9 @@ gid_t Str2Gid(const char *gidbuff, char *groupcopy, const Promise *pp) } else if ((gr = getgrnam(gidbuff)) == NULL) { - Log(LOG_LEVEL_INFO, "Unknown group '%s' in promise", gidbuff); - if (pp) { + Log(LOG_LEVEL_INFO, "Unknown group '%s' in promise", gidbuff); PromiseRef(LOG_LEVEL_INFO, pp); } diff --git a/libpromises/dbm_lmdb.c b/libpromises/dbm_lmdb.c index 65d08fe1ec..2bed01bba1 100644 --- a/libpromises/dbm_lmdb.c +++ b/libpromises/dbm_lmdb.c @@ -34,6 +34,7 @@ #include #include #include +#include #ifdef LMDB @@ -537,7 +538,31 @@ DBPriv *DBPrivOpenDB(const char *dbpath, dbid id) open_flags |= MDB_WRITEMAP; #endif - rc = LmdbEnvOpen(db->env, dbpath, open_flags, 0644); +#ifndef __MINGW32__ + // If effective user is root then change to system group for lmdb files + // otherwise leave group as-is. + uid_t p_euid = geteuid(); + gid_t current_gid = getgid(); + if (p_euid == 0) + { + gid_t system_gid = Str2Gid(CF_SYSTEM_GROUP, NULL /* no groupcopy */, NULL /* no Promise */); + if (system_gid == CF_SAME_GROUP || system_gid == CF_UNKNOWN_GROUP) + { + Log(LOG_LEVEL_ERR, "Could not get gid_t for CF_SYSTEM_GROUP('%s'), got %d", CF_SYSTEM_GROUP, system_gid); + goto err; + } + else + { + rc = setgid(system_gid); + if (rc) + { + Log(LOG_LEVEL_WARNING, "Could not set system group. setgid(%d): %s", system_gid, strerror(errno)); + } + } + } +#endif + + rc = LmdbEnvOpen(db->env, dbpath, open_flags, CF_PERMS_DEFAULT); if (rc) { Log(LOG_LEVEL_ERR, "Could not open database %s: %s", @@ -546,6 +571,17 @@ DBPriv *DBPrivOpenDB(const char *dbpath, dbid id) { HandleLMDBCorruption(db->env, mdb_strerror(rc)); } +#ifndef __MINGW32__ + if (p_euid == 0) + { + rc = setgid(current_gid); + if (rc) + { + Log(LOG_LEVEL_ERR, "Could not set group id back to previous value."); + goto err; + } + } +#endif goto err; } if (DB_MAX_READERS > 0) diff --git a/libutils/definitions.h b/libutils/definitions.h index 4c813b7e5e..a812cdd1d6 100644 --- a/libutils/definitions.h +++ b/libutils/definitions.h @@ -44,4 +44,15 @@ #define CF_BUFSIZE 4096 #define CF_EXPANDSIZE (2 * CF_BUFSIZE) +/***************************************************************************** + * File Ownership * + *****************************************************************************/ +#ifdef __FreeBSD__ +# define CF_SYSTEM_GROUP "wheel" +#elseif __Solaris__ +# define CF_SYSTEM_GROUP "sys" +#else +# define CF_SYSTEM_GROUP "root" +#endif + #endif // CFENGINE_DEFINITIONS_H diff --git a/tests/load/Makefile.am b/tests/load/Makefile.am index 03edd33b19..1a08ba3d74 100644 --- a/tests/load/Makefile.am +++ b/tests/load/Makefile.am @@ -50,7 +50,7 @@ check_PROGRAMS = db_load lastseen_load lastseen_threaded_load db_load_SOURCES = db_load.c -db_load_LDADD = ../unit/libdb.la +db_load_LDADD = ../unit/libdb.la ../../libpromises/libpromises.la lastseen_load_SOURCES = lastseen_load.c \ diff --git a/tests/unit/Makefile.am b/tests/unit/Makefile.am index e4bd304e58..712e430d7f 100644 --- a/tests/unit/Makefile.am +++ b/tests/unit/Makefile.am @@ -319,7 +319,7 @@ db_test_LDADD = libtest.la ../../libpromises/libpromises.la db_concurrent_test_SOURCES = db_concurrent_test.c #db_concurrent_test_CPPFLAGS = $(libdb_la_CPPFLAGS) -db_concurrent_test_LDADD = libdb.la +db_concurrent_test_LDADD = libdb.la ../../libpromises/libpromises.la lastseen_test_SOURCES = lastseen_test.c \ ../../libpromises/item_lib.c \ From 9bd706e42ca09a5e9caf67f1cdc4b4a7ce04b2d2 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 19 May 2020 09:14:11 -0500 Subject: [PATCH 2/2] Added CF_PERMS_DEFAULT, CF_PERMS_SHARED and CF_SYSTEM_GROUP defines --- libutils/definitions.h | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libutils/definitions.h b/libutils/definitions.h index a812cdd1d6..640b634721 100644 --- a/libutils/definitions.h +++ b/libutils/definitions.h @@ -44,15 +44,24 @@ #define CF_BUFSIZE 4096 #define CF_EXPANDSIZE (2 * CF_BUFSIZE) +/***************************************************************************** + * File permissions * + *****************************************************************************/ +// 0600 - Read/Write for owner +#define CF_PERMS_DEFAULT S_IRUSR | S_IWUSR +// 0644 - World readable +#define CF_PERMS_SHARED CF_PERMS_DEFAULT | S_IRGRP | S_IROTH + /***************************************************************************** * File Ownership * *****************************************************************************/ -#ifdef __FreeBSD__ +#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__APPLE__) # define CF_SYSTEM_GROUP "wheel" -#elseif __Solaris__ +#elif defined(__sun__) || defined(__hpux__) # define CF_SYSTEM_GROUP "sys" +#elif defined(_AIX) +# define CF_SYSTEM_GROUP "system" #else # define CF_SYSTEM_GROUP "root" #endif - #endif // CFENGINE_DEFINITIONS_H