permissions
This commit is contained in:
John Smith
parent
f4f5808df2
commit
9a54ee052c
12
Cargo.lock
generated
12
Cargo.lock
generated
@ -4439,6 +4439,7 @@ dependencies = [
|
|||||||
"maplit",
|
"maplit",
|
||||||
"ndk",
|
"ndk",
|
||||||
"ndk-glue",
|
"ndk-glue",
|
||||||
|
"nix 0.23.1",
|
||||||
"no-std-net",
|
"no-std-net",
|
||||||
"num_cpus",
|
"num_cpus",
|
||||||
"once_cell",
|
"once_cell",
|
||||||
@ -4469,6 +4470,7 @@ dependencies = [
|
|||||||
"webpki-roots 0.22.2",
|
"webpki-roots 0.22.2",
|
||||||
"wee_alloc",
|
"wee_alloc",
|
||||||
"winapi",
|
"winapi",
|
||||||
|
"windows-permissions",
|
||||||
"ws_stream_wasm",
|
"ws_stream_wasm",
|
||||||
"x25519-dalek-ng",
|
"x25519-dalek-ng",
|
||||||
]
|
]
|
||||||
@ -4805,6 +4807,16 @@ version = "0.4.0"
|
|||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
|
checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
|
||||||
|
|
||||||
|
[[package]]
|
||||||
|
name = "windows-permissions"
|
||||||
|
version = "0.2.4"
|
||||||
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
|
checksum = "9e2ccdc3c6bf4d4a094e031b63fadd08d8e42abd259940eb8aa5fdc09d4bf9be"
|
||||||
|
dependencies = [
|
||||||
|
"bitflags",
|
||||||
|
"winapi",
|
||||||
|
]
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "windows-service"
|
name = "windows-service"
|
||||||
version = "0.4.0"
|
version = "0.4.0"
|
||||||
|
|||||||
@ -73,6 +73,7 @@ socket2 = "^0"
|
|||||||
bugsalot = "^0"
|
bugsalot = "^0"
|
||||||
chrono = "^0"
|
chrono = "^0"
|
||||||
libc = "^0"
|
libc = "^0"
|
||||||
|
nix = "^0"
|
||||||
|
|
||||||
# Dependencies for WASM builds only
|
# Dependencies for WASM builds only
|
||||||
[target.'cfg(target_arch = "wasm32")'.dependencies]
|
[target.'cfg(target_arch = "wasm32")'.dependencies]
|
||||||
@ -129,6 +130,7 @@ rtnetlink = { version = "^0", default-features = false, features = [ "smol_socke
|
|||||||
# Dependencies for Windows
|
# Dependencies for Windows
|
||||||
[target.'cfg(target_os = "windows")'.dependencies]
|
[target.'cfg(target_os = "windows")'.dependencies]
|
||||||
winapi = { version = "^0", features = [ "iptypes", "iphlpapi" ] }
|
winapi = { version = "^0", features = [ "iptypes", "iphlpapi" ] }
|
||||||
|
windows-permissions = "^0"
|
||||||
|
|
||||||
# Dependencies for iOS
|
# Dependencies for iOS
|
||||||
[target.'cfg(target_os = "ios")'.dependencies]
|
[target.'cfg(target_os = "ios")'.dependencies]
|
||||||
|
|||||||
@ -23,6 +23,9 @@ impl BlockStore {
|
|||||||
}
|
}
|
||||||
|
|
||||||
pub async fn init(&self) -> Result<(), String> {
|
pub async fn init(&self) -> Result<(), String> {
|
||||||
|
// Ensure permissions are correct
|
||||||
|
// ensure_file_private_owner(&dbpath)?;
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -48,6 +48,7 @@ impl ProtectedStore {
|
|||||||
let c = self.config.get();
|
let c = self.config.get();
|
||||||
let mut inner = self.inner.lock();
|
let mut inner = self.inner.lock();
|
||||||
if !c.protected_store.always_use_insecure_storage {
|
if !c.protected_store.always_use_insecure_storage {
|
||||||
|
// Attempt to open the secure keyring
|
||||||
cfg_if! {
|
cfg_if! {
|
||||||
if #[cfg(target_os = "android")] {
|
if #[cfg(target_os = "android")] {
|
||||||
inner.keyring_manager = KeyringManager::new_secure(&c.program_name, intf::native::utils::android::get_android_globals()).ok();
|
inner.keyring_manager = KeyringManager::new_secure(&c.program_name, intf::native::utils::android::get_android_globals()).ok();
|
||||||
@ -70,6 +71,11 @@ impl ProtectedStore {
|
|||||||
format!("_{}", c.namespace)
|
format!("_{}", c.namespace)
|
||||||
}
|
}
|
||||||
));
|
));
|
||||||
|
|
||||||
|
// Ensure permissions are correct
|
||||||
|
ensure_file_private_owner(&insecure_keyring_file)?;
|
||||||
|
|
||||||
|
// Open the insecure keyring
|
||||||
inner.keyring_manager = Some(
|
inner.keyring_manager = Some(
|
||||||
KeyringManager::new_insecure(&c.program_name, &insecure_keyring_file)
|
KeyringManager::new_insecure(&c.program_name, &insecure_keyring_file)
|
||||||
.map_err(map_to_string)
|
.map_err(map_to_string)
|
||||||
|
|||||||
@ -99,9 +99,17 @@ impl TableStore {
|
|||||||
}
|
}
|
||||||
|
|
||||||
let dbpath = self.get_dbpath(&table_name)?;
|
let dbpath = self.get_dbpath(&table_name)?;
|
||||||
|
|
||||||
|
// Ensure permissions are correct
|
||||||
|
ensure_file_private_owner(&dbpath)?;
|
||||||
|
|
||||||
let cfg = DatabaseConfig::with_columns(column_count);
|
let cfg = DatabaseConfig::with_columns(column_count);
|
||||||
let db =
|
let db =
|
||||||
Database::open(&dbpath, cfg).map_err(|e| format!("failed to open tabledb: {}", e))?;
|
Database::open(&dbpath, cfg).map_err(|e| format!("failed to open tabledb: {}", e))?;
|
||||||
|
|
||||||
|
// Ensure permissions are correct
|
||||||
|
ensure_file_private_owner(&dbpath)?;
|
||||||
|
|
||||||
trace!(
|
trace!(
|
||||||
"opened table store '{}' at path '{:?}' with {} columns",
|
"opened table store '{}' at path '{:?}' with {} columns",
|
||||||
name,
|
name,
|
||||||
|
|||||||
@ -1,5 +1,6 @@
|
|||||||
use crate::xx::*;
|
use crate::xx::*;
|
||||||
use alloc::string::ToString;
|
use alloc::string::ToString;
|
||||||
|
use std::path::Path;
|
||||||
|
|
||||||
#[macro_export]
|
#[macro_export]
|
||||||
macro_rules! assert_err {
|
macro_rules! assert_err {
|
||||||
@ -185,3 +186,60 @@ impl<T: PartialEq + Clone> Dedup<T> for Vec<T> {
|
|||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
cfg_if::cfg_if! {
|
||||||
|
if #[cfg(unix)] {
|
||||||
|
use std::os::unix::fs::MetadataExt;
|
||||||
|
use std::os::unix::prelude::PermissionsExt;
|
||||||
|
use nix::unistd::{chown, Uid, Gid};
|
||||||
|
|
||||||
|
pub fn ensure_file_private_owner<P:AsRef<Path>>(path: P) -> Result<(), String>
|
||||||
|
{
|
||||||
|
let path = path.as_ref();
|
||||||
|
if !path.exists() {
|
||||||
|
return Ok(());
|
||||||
|
}
|
||||||
|
|
||||||
|
let uid = Uid::effective();
|
||||||
|
let gid = Gid::effective();
|
||||||
|
let meta = std::fs::metadata(path).map_err(|e| format!("unable to get metadata for path '{:?}': {}",path, e))?;
|
||||||
|
|
||||||
|
if meta.mode() != 0o600 {
|
||||||
|
std::fs::set_permissions(path,std::fs::Permissions::from_mode(0o600)).map_err(|e| format!("unable to set correct permissions on path '{:?}': {}", path, e))?;
|
||||||
|
}
|
||||||
|
if meta.uid() != uid.as_raw() || meta.gid() != gid.as_raw() {
|
||||||
|
chown(path, Some(uid), Some(gid)).map_err(|e| format!("unable to set correct owner on path '{:?}': {}", path, e))?;
|
||||||
|
}
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
} else if #[cfg(windows)] {
|
||||||
|
use std::os::windows::fs::MetadataExt;
|
||||||
|
use windows_permissions::*;
|
||||||
|
|
||||||
|
pub fn ensure_file_private_owner<P:AsRef<Path>>(path: P) -> Result<(),String>
|
||||||
|
{
|
||||||
|
let path = path.as_ref();
|
||||||
|
if !path.exists() {
|
||||||
|
return Ok(());
|
||||||
|
}
|
||||||
|
|
||||||
|
// let uid = Uid::effective();
|
||||||
|
// let gid = Gid::effective();
|
||||||
|
let meta = std::fs::metadata(path).map_err(|e| format!("unable to get metadata for path '{:?}': {}",path, e))?;
|
||||||
|
|
||||||
|
if meta.mode() != 0o600 {
|
||||||
|
std::fs::set_permissions(path,std::fs::Permissions::from_mode(0o600)).map_err(|e| format!("unable to set correct permissions on path '{:?}': {}", path, e))?;
|
||||||
|
}
|
||||||
|
|
||||||
|
// if meta.uid() != uid.as_raw() || meta.gid() != gid.as_raw() {
|
||||||
|
// chown(path, Some(uid), Some(gid)).map_err(|e| format!("unable to set correct owner on path '{:?}': {}", path, e))?;
|
||||||
|
// }
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
pub fn ensure_file_private_owner<P:AsRef<Path>>(path: P) -> Result<(),String>
|
||||||
|
{
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
@ -27,7 +27,7 @@ pub fn run_daemon(settings: Settings, _matches: ArgMatches) -> Result<(), String
|
|||||||
let mut daemon = daemonize::Daemonize::new();
|
let mut daemon = daemonize::Daemonize::new();
|
||||||
let s = settings.read();
|
let s = settings.read();
|
||||||
if let Some(pid_file) = &s.daemon.pid_file {
|
if let Some(pid_file) = &s.daemon.pid_file {
|
||||||
daemon = daemon.pid_file(pid_file).chown_pid_file(true);
|
daemon = daemon.pid_file(pid_file); //.chown_pid_file(true);
|
||||||
}
|
}
|
||||||
if let Some(chroot) = &s.daemon.chroot {
|
if let Some(chroot) = &s.daemon.chroot {
|
||||||
daemon = daemon.chroot(chroot);
|
daemon = daemon.chroot(chroot);
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user