[jira] [Commented] (BROOKLYN-46) Files created by persistence mechanism should not be readable by other users

Mon, 11 Aug 2014 01:24:08 -0700 

    [ 
https://issues.apache.org/jira/browse/BROOKLYN-46?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14092561#comment-14092561
 ] 

ASF GitHub Bot commented on BROOKLYN-46:
----------------------------------------

Github user sjcorbett commented on a diff in the pull request:

    https://github.com/apache/incubator-brooklyn/pull/114#discussion_r16041801
  
    --- Diff: utils/common/src/main/java/brooklyn/util/io/FileUtil.java ---
    @@ -0,0 +1,146 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements.  See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership.  The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License.  You may obtain a copy of the License at
    + *
    + *     http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing,
    + * software distributed under the License is distributed on an
    + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    + * KIND, either express or implied.  See the License for the
    + * specific language governing permissions and limitations
    + * under the License.
    + */
    +package brooklyn.util.io;
    +
    +import java.io.ByteArrayOutputStream;
    +import java.io.File;
    +import java.io.FileNotFoundException;
    +import java.io.IOException;
    +import java.io.InputStream;
    +import java.io.OutputStream;
    +import java.util.List;
    +
    +import org.apache.commons.io.FileUtils;
    +import org.slf4j.Logger;
    +import org.slf4j.LoggerFactory;
    +
    +import brooklyn.util.exceptions.Exceptions;
    +import brooklyn.util.guava.Maybe;
    +import brooklyn.util.os.Os;
    +import brooklyn.util.stream.StreamGobbler;
    +import brooklyn.util.stream.Streams;
    +
    +import com.google.common.annotations.Beta;
    +import com.google.common.collect.ImmutableList;
    +
    +public class FileUtil {
    +
    +    private static final Logger LOG = 
LoggerFactory.getLogger(FileUtil.class);
    +
    +    // When we move to java 7, we can use Files.setPosixFilePermissions
    +    public static void setFilePermissionsTo700(File file) throws 
IOException {
    +        file.createNewFile();
    +        file.setExecutable(false, false);
    +        file.setReadable(false, false);
    +        file.setWritable(false, false);
    +        file.setReadable(true, true);
    +        file.setWritable(true, true);
    +        file.setExecutable(true, true);
    +    }
    +    
    +    // When we move to java 7, we can use Files.setPosixFilePermissions
    +    public static void setFilePermissionsTo600(File file) throws 
IOException {
    +        file.createNewFile();
    +        file.setExecutable(false, false);
    +        file.setReadable(false, false);
    +        file.setWritable(false, false);
    +        file.setReadable(true, true);
    +        file.setWritable(true, true);
    --- End diff --
    
    As above.


> Files created by persistence mechanism should not be readable by other users
> ----------------------------------------------------------------------------
>
>                 Key: BROOKLYN-46
>                 URL: https://issues.apache.org/jira/browse/BROOKLYN-46
>             Project: Brooklyn
>          Issue Type: Bug
>            Reporter: Sam Corbett
>            Assignee: Aled Sage
>
> Originally reported at: 
> https://github.com/brooklyncentral/brooklyn/issues/1240
> Files containing persisted state have permissions 644. Files containing 
> persisted locations contain private key data. Other users should not be able 
> to read this data. We should follow ssh's practice and restrict access to the 
> user that owns the private key.
> {code}
> $ su otheruser
> $ ls -l /Users/sam/.brooklyn/brooklyn-persisted-state/data/locations
> total 112
> -rw-r--r--  1 sam  staff  2319 10 Mar 10:38 BhIXCfBt
> -rw-r--r--  1 sam  staff  2317 10 Mar 10:38 FktCwLnX
> ...
> $ cat /Users/sam/.brooklyn/brooklyn-persisted-state/data/locations/BhIXCfBt 
> <location>
>   <brooklynVersion>0.7.0-SNAPSHOT</brooklynVersion>
>   <type>brooklyn.location.basic.SshMachineLocation</type>
>   <id>BhIXCfBt</id>
>   <displayName>SshMachineLocation:BhIX</displayName>
>   <children/>
>   <locationConfig>
>     <longitude type="double">-77.48750305175781</longitude>
>     <port type="int">22</port>
>     <latitude type="double">39.043701171875</latitude>
>     <user>sam</user>
>     <privateKeyData>-----BEGIN RSA PRIVATE KEY-----
>     ... :-(
> {code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to