daemon: Change default access rights of runtime directory to 0770

It used to be 0755 which made the runtime directories accessible to everyone if run directly in the host filesystem. As the UNIX domain socket requires write permissions in order to onnect(), it was always only every usable for the user owner. Signed-off-by: <thomas@cilium.io>
cilium · Mar 10, 2017 · eeeecf8 · eeeecf8
1 parent 912a0a1
commit eeeecf8
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 6 deletions.
diff --git a/daemon/daemon.go b/daemon/daemon.go
@@ -36,6 +36,7 @@ import (
 	"github.com/cilium/cilium/common/addressing"
 	"github.com/cilium/cilium/common/ipam"
 	"github.com/cilium/cilium/common/types"
+	"github.com/cilium/cilium/daemon/defaults"
 	"github.com/cilium/cilium/daemon/options"
 	"github.com/cilium/cilium/pkg/apierror"
 	"github.com/cilium/cilium/pkg/bpf"
@@ -223,7 +224,7 @@ func (d *Daemon) useK8sNodeCIDR(nodeName string) error {
 
 func (d *Daemon) init() error {
 	globalsDir := filepath.Join(d.conf.RunDir, "globals")
-	if err := os.MkdirAll(globalsDir, 0755); err != nil {
+	if err := os.MkdirAll(globalsDir, defaults.RuntimePathRights); err != nil {
 		log.Fatalf("Could not create runtime directory %s: %s", globalsDir, err)
 	}
 

diff --git a/daemon/defaults/defaults.go b/daemon/defaults/defaults.go
@@ -15,15 +15,18 @@
 package defaults
 
 const (
-	// Default path to runtime files
+	// RuntimePath is the default path to the runtime directory
 	RuntimePath = "/var/run/cilium"
 
-	// Default path to static library files
+	// RuntimePathRights are the default access rights of the RuntimePath directory
+	RuntimePathRights = 0770
+
+	// LibDir is the default path to static library files
 	LibDir = "/usr/lib/cilium"
 
-	// Path to UNIX domain socket exposing the API to clients
+	// SockPath is the path to the UNIX domain socket exposing the API to clients locally
 	SockPath = RuntimePath + "/cilium.sock"
 
-	// Environment variable for UNIX domain socket
+	// SockPathEnv is the environment variable to overwrite SockPath
 	SockPathEnv = "CILIUM_SOCK"
 )
diff --git a/daemon/main.go b/daemon/main.go
@@ -148,7 +148,7 @@ func initConfig() {
 
 func initEnv() {
 	socketDir := path.Dir(socketPath)
-	if err := os.MkdirAll(socketDir, 0700); err != nil {
+	if err := os.MkdirAll(socketDir, defaults.RuntimePathRights); err != nil {
 		log.Fatalf("Cannot mkdir directory \"%s\" for cilium socket: %s", socketDir, err)
 	}