Windows support: prevent the creation of directories for UDS endpoints (

spiffe#3192) * Windows support: prevent the creation of directories for UDS endpoints Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
stevend-uber · Oct 13, 2023 · b513377 · b513377
1 parent b83d15e
commit b513377
Show file tree

Hide file tree

Showing 10 changed files with 85 additions and 63 deletions.
diff --git a/cmd/spire-agent/cli/run/run.go b/cmd/spire-agent/cli/run/run.go
@@ -173,29 +173,9 @@ func (cmd *Command) Run(args []string) int {
 		return 1
 	}
 
-	// Create uds dir and parents if not exists
-	dir := filepath.Dir(c.BindAddress.String())
-	if _, statErr := os.Stat(dir); os.IsNotExist(statErr) {
-		c.Log.WithField("dir", dir).Infof("Creating spire agent UDS directory")
-		if err := os.MkdirAll(dir, 0755); err != nil {
-			fmt.Fprintln(cmd.env.Stderr, err)
-			return 1
-		}
-	}
-
-	// Set umask before starting up the agent
-	common_cli.SetUmask(c.Log)
-
-	if c.AdminBindAddress != nil {
-		// Create uds dir and parents if not exists
-		adminDir := filepath.Dir(c.AdminBindAddress.String())
-		if _, statErr := os.Stat(adminDir); os.IsNotExist(statErr) {
-			c.Log.WithField("dir", adminDir).Infof("Creating admin UDS directory")
-			if err := os.MkdirAll(adminDir, 0755); err != nil {
-				fmt.Fprintln(cmd.env.Stderr, err)
-				return 1
-			}
-		}
+	if err := prepareEndpoints(c); err != nil {
+		fmt.Fprintln(cmd.env.Stderr, err)
+		return 1
 	}
 
 	a := agent.New(c)

diff --git a/cmd/spire-agent/cli/run/run_posix.go b/cmd/spire-agent/cli/run/run_posix.go
@@ -8,10 +8,13 @@ import (
 	"flag"
 	"fmt"
 	"net"
+	"os"
 	"path/filepath"
 	"strings"
 
 	"github.com/spiffe/spire/cmd/spire-agent/cli/common"
+	"github.com/spiffe/spire/pkg/agent"
+	common_cli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/util"
 )
 
@@ -61,3 +64,30 @@ func (c *agentConfig) validateOS() error {
 	}
 	return nil
 }
+
+func prepareEndpoints(c *agent.Config) error {
+	// Create uds dir and parents if not exists
+	dir := filepath.Dir(c.BindAddress.String())
+	if _, statErr := os.Stat(dir); os.IsNotExist(statErr) {
+		c.Log.WithField("dir", dir).Infof("Creating spire agent UDS directory")
+		if err := os.MkdirAll(dir, 0755); err != nil {
+			return err
+		}
+	}
+
+	// Set umask before starting up the agent
+	common_cli.SetUmask(c.Log)
+
+	if c.AdminBindAddress != nil {
+		// Create uds dir and parents if not exists
+		adminDir := filepath.Dir(c.AdminBindAddress.String())
+		if _, statErr := os.Stat(adminDir); os.IsNotExist(statErr) {
+			c.Log.WithField("dir", adminDir).Infof("Creating admin UDS directory")
+			if err := os.MkdirAll(adminDir, 0755); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
diff --git a/cmd/spire-agent/cli/run/run_windows.go b/cmd/spire-agent/cli/run/run_windows.go
@@ -9,6 +9,7 @@ import (
 	"net"
 
 	"github.com/spiffe/spire/cmd/spire-agent/cli/common"
+	"github.com/spiffe/spire/pkg/agent"
 	"github.com/spiffe/spire/pkg/common/util"
 )
 
@@ -42,3 +43,8 @@ func (c *agentConfig) validateOS() error {
 	}
 	return nil
 }
+
+func prepareEndpoints(c *agent.Config) error {
+	// Nothing to do in this platform
+	return nil
+}
diff --git a/pkg/common/cli/umask.go b/pkg/common/cli/umask.go
diff --git a/pkg/common/cli/umask_posix.go b/pkg/common/cli/umask_posix.go
@@ -2,10 +2,24 @@
 
 package cli
 
-import "syscall"
+import (
+	"syscall"
 
-const umaskSupported = true
+	"github.com/sirupsen/logrus"
+)
 
-func setUmask(umask int) int {
-	return syscall.Umask(umask)
+// The umask for SPIRE processes should not allow write by group, or
+// read/write/execute by everyone.
+const minimumUmask = 0027
+
+// SetUmask sets the minimumUmask.
+func SetUmask(log logrus.FieldLogger) {
+	// Otherwise, make sure the current umask meets the minimum.
+	currentUmask := syscall.Umask(minimumUmask)
+	if (currentUmask & minimumUmask) != minimumUmask {
+		badUmask := currentUmask
+		currentUmask |= minimumUmask
+		log.Warnf("Current umask %#04o is too permissive; setting umask %#04o", badUmask, currentUmask)
+	}
+	_ = syscall.Umask(currentUmask)
 }
diff --git a/pkg/common/cli/umask_test.go → pkg/common/cli/umask_posix_test.go b/pkg/common/cli/umask_test.go → pkg/common/cli/umask_posix_test.go
@@ -1,6 +1,9 @@
+//go:build !windows
+
 package cli
 
 import (
+	"syscall"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
@@ -9,11 +12,6 @@ import (
 )
 
 func TestUmask(t *testing.T) {
-	if !umaskSupported {
-		t.Logf("umask is not supported on this platform")
-		t.Skip()
-	}
-
 	testCases := []struct {
 		Initial  int
 		Expected int
@@ -41,9 +39,9 @@ func TestUmask(t *testing.T) {
 	for _, testCase := range testCases {
 		log, hook := test.NewNullLogger()
 		t.Logf("test case: %+v", testCase)
-		_ = setUmask(testCase.Initial)
+		_ = syscall.Umask(testCase.Initial)
 		SetUmask(log)
-		actualUmask := setUmask(0022)
+		actualUmask := syscall.Umask(0022)
 		assert.Equal(t, testCase.Expected, actualUmask, "umask")
 		assert.Empty(t, cmp.Diff(testCase.Logs, gatherLogs(hook)))
 	}

diff --git a/pkg/common/cli/umask_windows.go b/pkg/common/cli/umask_windows.go
@@ -1,7 +1,11 @@
+//go:build windows
+// +build windows
+
 package cli
 
-const umaskSupported = false
+import "github.com/sirupsen/logrus"
 
-func setUmask(umask int) int {
-	return umask
+// SetUmask does nothing on Windows
+func SetUmask(log logrus.FieldLogger) {
+	// Nothing to do in this platform
 }
diff --git a/pkg/server/endpoints/endpoints.go b/pkg/server/endpoints/endpoints.go
@@ -7,7 +7,6 @@ import (
 	"fmt"
 	"net"
 	"os"
-	"path/filepath"
 	"time"
 
 	"github.com/spiffe/spire/pkg/server/cache/entrycache"
@@ -96,8 +95,8 @@ type RateLimitConfig struct {
 
 // New creates new endpoints struct
 func New(ctx context.Context, c Config) (*Endpoints, error) {
-	if err := os.MkdirAll(filepath.Dir(c.LocalAddr.String()), 0750); err != nil {
-		return nil, fmt.Errorf("unable to create socket directory: %w", err)
+	if err := prepareLocalAddr(c.LocalAddr); err != nil {
+		return nil, err
 	}
 
 	if c.AuthPolicyEngine == nil {

diff --git a/pkg/server/endpoints/endpoints_posix.go b/pkg/server/endpoints/endpoints_posix.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"net"
 	"os"
+	"path/filepath"
 
 	"github.com/spiffe/spire/pkg/common/peertracker"
 )
@@ -31,3 +32,11 @@ func (e *Endpoints) restrictLocalAddr() error {
 	// group as the server.
 	return os.Chmod(e.LocalAddr.String(), 0770)
 }
+
+func prepareLocalAddr(localAddr net.Addr) error {
+	if err := os.MkdirAll(filepath.Dir(localAddr.String()), 0750); err != nil {
+		return fmt.Errorf("unable to create socket directory: %w", err)
+	}
+
+	return nil
+}
diff --git a/pkg/server/endpoints/endpoints_windows.go b/pkg/server/endpoints/endpoints_windows.go
@@ -29,3 +29,8 @@ func (e *Endpoints) restrictLocalAddr() error {
 	// Nothing else is needed to be done here.
 	return nil
 }
+
+func prepareLocalAddr(localAddr net.Addr) error {
+	// Nothing to do in this platform
+	return nil
+}