liz/veilid
1
0
Fork 0
Code Pull Requests Packages Releases Activity

permissions

Browse Source
This commit is contained in:
John Smith
2022-05-18 14:09:21 -04:00
parent f4f5808df2
commit 9a54ee052c
7 changed files with 90 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
veilid-core/src/intf/native/block_store.rs
View File

@@ -23,6 +23,9 @@ impl BlockStore {
}
pub async fn init(&self) -> Result<(), String> {
// Ensure permissions are correct
// ensure_file_private_owner(&dbpath)?;
Ok(())
}

6
veilid-core/src/intf/native/protected_store.rs
View File

@@ -48,6 +48,7 @@ impl ProtectedStore {
let c = self.config.get();
let mut inner = self.inner.lock();
if !c.protected_store.always_use_insecure_storage {
// Attempt to open the secure keyring
cfg_if! {
if #[cfg(target_os = "android")] {
inner.keyring_manager = KeyringManager::new_secure(&c.program_name, intf::native::utils::android::get_android_globals()).ok();
@@ -70,6 +71,11 @@ impl ProtectedStore {
format!("_{}", c.namespace)
}
));
// Ensure permissions are correct
ensure_file_private_owner(&insecure_keyring_file)?;
// Open the insecure keyring
inner.keyring_manager = Some(
KeyringManager::new_insecure(&c.program_name, &insecure_keyring_file)
.map_err(map_to_string)

8
veilid-core/src/intf/native/table_store.rs
View File

@@ -99,9 +99,17 @@ impl TableStore {
}
let dbpath = self.get_dbpath(&table_name)?;
// Ensure permissions are correct
ensure_file_private_owner(&dbpath)?;
let cfg = DatabaseConfig::with_columns(column_count);
let db =
Database::open(&dbpath, cfg).map_err(|e| format!("failed to open tabledb: {}", e))?;
// Ensure permissions are correct
ensure_file_private_owner(&dbpath)?;
trace!(
"opened table store '{}' at path '{:?}' with {} columns",
name,

58
veilid-core/src/xx/tools.rs
View File

@@ -1,5 +1,6 @@
use crate::xx::*;
use alloc::string::ToString;
use std::path::Path;
#[macro_export]
macro_rules! assert_err {
@@ -185,3 +186,60 @@ impl<T: PartialEq + Clone> Dedup<T> for Vec<T> {
})
}
}
cfg_if::cfg_if! {
if #[cfg(unix)] {
use std::os::unix::fs::MetadataExt;
use std::os::unix::prelude::PermissionsExt;
use nix::unistd::{chown, Uid, Gid};
pub fn ensure_file_private_owner<P:AsRef<Path>>(path: P) -> Result<(), String>
{
let path = path.as_ref();
if !path.exists() {
return Ok(());
}
let uid = Uid::effective();
let gid = Gid::effective();
let meta = std::fs::metadata(path).map_err(|e| format!("unable to get metadata for path '{:?}': {}",path, e))?;
if meta.mode() != 0o600 {
std::fs::set_permissions(path,std::fs::Permissions::from_mode(0o600)).map_err(|e| format!("unable to set correct permissions on path '{:?}': {}", path, e))?;
}
if meta.uid() != uid.as_raw() || meta.gid() != gid.as_raw() {
chown(path, Some(uid), Some(gid)).map_err(|e| format!("unable to set correct owner on path '{:?}': {}", path, e))?;
}
Ok(())
}
} else if #[cfg(windows)] {
use std::os::windows::fs::MetadataExt;
use windows_permissions::*;
pub fn ensure_file_private_owner<P:AsRef<Path>>(path: P) -> Result<(),String>
{
let path = path.as_ref();
if !path.exists() {
return Ok(());
}
// let uid = Uid::effective();
// let gid = Gid::effective();
let meta = std::fs::metadata(path).map_err(|e| format!("unable to get metadata for path '{:?}': {}",path, e))?;
if meta.mode() != 0o600 {
std::fs::set_permissions(path,std::fs::Permissions::from_mode(0o600)).map_err(|e| format!("unable to set correct permissions on path '{:?}': {}", path, e))?;
}
// if meta.uid() != uid.as_raw() || meta.gid() != gid.as_raw() {
// chown(path, Some(uid), Some(gid)).map_err(|e| format!("unable to set correct owner on path '{:?}': {}", path, e))?;
// }
Ok(())
}
} else {
pub fn ensure_file_private_owner<P:AsRef<Path>>(path: P) -> Result<(),String>
{
Ok(())
}
}
}