Create /var/lib/etcd with 700 permissions instead of 755

[jburks725]

Per CIS benchmark 1.4.11, the permissions on /var/lib/etcd should be 0700, not 0755. This directory appears to be created here:

e2d/pkg/manager/server.go

Lines 169 to 171 in 40a7ba9

	if err := os.MkdirAll(cfg.Dir, 0755); err != nil && !os.IsExist(err) {
	return errors.Wrapf(err, "cannot create etcd data dir: %#v", cfg.Dir)
	}

Please correct the permissions on this data directory.

[rbtr]

This seems to me to be very Kubernetes/CIS specific and not fundamental to how e2d runs etcd. 755 (rwxr-xr-x) is a reasonable default for a service config/data directory.

I think if you have different permissions requirements, you should just create the dir ahead of time - MkdirAll will noop if the dir structure already exists and will leave your permissions intact (ref).

[ChrisRx]

I agree with @rbtr that this is Kubernetes specific and that 755 is a reasonable default.

Another thing to mention is that the mode passed to MkdirAll is the permission bits BEFORE umask. This makes the current behavior ideal because it uses a reasonable default and systems that require more specific user file-creation modes should have their umask set appropriately based upon need.