Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows support: restrict access to data directories #3227

Merged
merged 1 commit into from
Jul 7, 2022
Merged

Windows support: restrict access to data directories #3227

merged 1 commit into from
Jul 7, 2022

Conversation

amartinezfayo
Copy link
Member

Agent and server data directories on Windows are currently created using a NULL security descriptor. As a result, the directories get a default security descriptor and the ACLs are inherited from the parent directory. This is because of the lack of support of security descriptors in the os.MkdirAll function.

This change introduces a custom implementation of the os.MkdirAll function so that a security descriptor can be applied.
Data directories are now created with a security descriptor that grants full access to the owner only.

This is part of #3189.

@amartinezfayo
Secure data directories created on Windows
7c558f3 
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
@amartinezfayo amartinezfayo added this to the 1.4.0 milestone Jul 6, 2022
azdagron
azdagron approved these changes Jul 7, 2022
View reviewed changes
Copy link
Member

@azdagron azdagron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great. Thanks, @amartinezfayo !

@amartinezfayo amartinezfayo merged commit e061701 into spiffe:main Jul 7, 2022
@amartinezfayo amartinezfayo mentioned this pull request Jul 27, 2022
Closed
@amartinezfayo amartinezfayo deleted the windows-sd-data-dirs branch March 1, 2023 18:01
stevend-uber pushed a commit to stevend-uber/spire that referenced this pull request Oct 16, 2023
@amartinezfayo @stevend-uber
Secure data directories created on Windows (spiffe#3227)
b892a00 
Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@azdagron azdagron azdagron approved these changes

@evan2645 evan2645 Awaiting requested review from evan2645 evan2645 is a code owner

@MarcosDY MarcosDY Awaiting requested review from MarcosDY MarcosDY is a code owner

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.4.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@amartinezfayo @azdagron