[
https://issues.apache.org/jira/browse/BROOKLYN-46?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14092560#comment-14092560
]
ASF GitHub Bot commented on BROOKLYN-46:
----------------------------------------
Github user sjcorbett commented on a diff in the pull request:
https://github.com/apache/incubator-brooklyn/pull/114#discussion_r16041800
--- Diff: utils/common/src/main/java/brooklyn/util/io/FileUtil.java ---
@@ -0,0 +1,146 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package brooklyn.util.io;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.List;
+
+import org.apache.commons.io.FileUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import brooklyn.util.exceptions.Exceptions;
+import brooklyn.util.guava.Maybe;
+import brooklyn.util.os.Os;
+import brooklyn.util.stream.StreamGobbler;
+import brooklyn.util.stream.Streams;
+
+import com.google.common.annotations.Beta;
+import com.google.common.collect.ImmutableList;
+
+public class FileUtil {
+
+ private static final Logger LOG =
LoggerFactory.getLogger(FileUtil.class);
+
+ // When we move to java 7, we can use Files.setPosixFilePermissions
+ public static void setFilePermissionsTo700(File file) throws
IOException {
+ file.createNewFile();
+ file.setExecutable(false, false);
+ file.setReadable(false, false);
+ file.setWritable(false, false);
+ file.setReadable(true, true);
+ file.setWritable(true, true);
+ file.setExecutable(true, true);
--- End diff --
It would be worth checking the return values from these set calls and
logging a warning if any are false.
> Files created by persistence mechanism should not be readable by other users
> ----------------------------------------------------------------------------
>
> Key: BROOKLYN-46
> URL: https://issues.apache.org/jira/browse/BROOKLYN-46
> Project: Brooklyn
> Issue Type: Bug
> Reporter: Sam Corbett
> Assignee: Aled Sage
>
> Originally reported at:
> https://github.com/brooklyncentral/brooklyn/issues/1240
> Files containing persisted state have permissions 644. Files containing
> persisted locations contain private key data. Other users should not be able
> to read this data. We should follow ssh's practice and restrict access to the
> user that owns the private key.
> {code}
> $ su otheruser
> $ ls -l /Users/sam/.brooklyn/brooklyn-persisted-state/data/locations
> total 112
> -rw-r--r-- 1 sam staff 2319 10 Mar 10:38 BhIXCfBt
> -rw-r--r-- 1 sam staff 2317 10 Mar 10:38 FktCwLnX
> ...
> $ cat /Users/sam/.brooklyn/brooklyn-persisted-state/data/locations/BhIXCfBt
> <location>
> <brooklynVersion>0.7.0-SNAPSHOT</brooklynVersion>
> <type>brooklyn.location.basic.SshMachineLocation</type>
> <id>BhIXCfBt</id>
> <displayName>SshMachineLocation:BhIX</displayName>
> <children/>
> <locationConfig>
> <longitude type="double">-77.48750305175781</longitude>
> <port type="int">22</port>
> <latitude type="double">39.043701171875</latitude>
> <user>sam</user>
> <privateKeyData>-----BEGIN RSA PRIVATE KEY-----
> ... :-(
> {code}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
