From 407415f6f16c1dc3277af1a948484173a2471117 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Tarti=C3=A8re?= Date: Thu, 31 Aug 2023 13:43:34 -1000 Subject: [PATCH] Fix files ownership and permissions for Dashboards MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Similar to the issue fixed in #3898, OpenSearch-Dashboards package has unexpected files owner and permissions. This ensure the installed files are not owner by the opensearch-dashboards user (preventing the program to overwrite itself with malicious code if the service has some kind of vulnerability), and make sure logs and data cannot be accessed by random users. Signed-off-by: Romain Tartière --- .../opensearch-dashboards/deb/debian/postinst | 12 ++++++++---- .../deb/debmake_opensearch_dashboards_install.sh | 3 ++- .../rpm/opensearch-dashboards.rpm.spec | 11 ++++++----- 3 files changed, 16 insertions(+), 10 deletions(-) diff --git a/scripts/pkg/build_templates/opensearch-dashboards/deb/debian/postinst b/scripts/pkg/build_templates/opensearch-dashboards/deb/debian/postinst index 30d62c95e7..08f0094078 100755 --- a/scripts/pkg/build_templates/opensearch-dashboards/deb/debian/postinst +++ b/scripts/pkg/build_templates/opensearch-dashboards/deb/debian/postinst @@ -36,11 +36,15 @@ echo " sudo systemctl enable opensearch-dashboards.service" echo "### You can start opensearch-dashboards service by executing" echo " sudo systemctl start opensearch-dashboards.service" -# Set owner -chown -R opensearch-dashboards.opensearch-dashboards ${product_dir} -chown -R opensearch-dashboards.opensearch-dashboards ${config_dir} -chown -R opensearch-dashboards.opensearch-dashboards ${log_dir} +# Set ownership and permissions +chmod -R u=rwX,g=rX,o= ${config_dir} + +chown -R opensearch-dashboards.adm ${log_dir} +chmod 750 ${log_dir} + chown -R opensearch-dashboards.opensearch-dashboards ${data_dir} +chmod 750 ${data_dir} + chown -R opensearch-dashboards.opensearch-dashboards ${pid_dir} exit 0 diff --git a/scripts/pkg/build_templates/opensearch-dashboards/deb/debmake_opensearch_dashboards_install.sh b/scripts/pkg/build_templates/opensearch-dashboards/deb/debmake_opensearch_dashboards_install.sh index 1c4f593a53..e41763e071 100755 --- a/scripts/pkg/build_templates/opensearch-dashboards/deb/debmake_opensearch_dashboards_install.sh +++ b/scripts/pkg/build_templates/opensearch-dashboards/deb/debmake_opensearch_dashboards_install.sh @@ -42,6 +42,7 @@ ln -s ${data_dir} ${buildroot}${product_dir}/data ln -s ${log_dir} ${buildroot}${product_dir}/logs # Change Permissions -chmod -Rf a+rX,u+w,g-w,o-w ${buildroot}/* +chmod -Rf g-s ${buildroot}/* +chmod -Rf u=rwX,g=rX,o=rX ${buildroot}/* exit 0 diff --git a/scripts/pkg/build_templates/opensearch-dashboards/rpm/opensearch-dashboards.rpm.spec b/scripts/pkg/build_templates/opensearch-dashboards/rpm/opensearch-dashboards.rpm.spec index 6ff7c32084..df8e1bd064 100644 --- a/scripts/pkg/build_templates/opensearch-dashboards/rpm/opensearch-dashboards.rpm.spec +++ b/scripts/pkg/build_templates/opensearch-dashboards/rpm/opensearch-dashboards.rpm.spec @@ -56,7 +56,8 @@ chmod 0755 %{buildroot}%{product_dir}/bin/* ln -s %{data_dir} %{buildroot}%{product_dir}/data ln -s %{log_dir} %{buildroot}%{product_dir}/logs # Change Permissions -chmod -Rf a+rX,u+w,g-w,o-w %{buildroot}/* +chmod -Rf g-s %{buildroot}/* +chmod -Rf u=rwX,g=rX,o= %{buildroot}/etc exit 0 %pre @@ -101,7 +102,7 @@ exit 0 %files # Permissions -%defattr(-, %{name}, %{name}) +%defattr(-, root, root) # Root dirs/docs/licenses %dir %{product_dir} @@ -130,9 +131,9 @@ exit 0 %{product_dir}/node_modules %{product_dir}/plugins %{product_dir}/src -%{log_dir} -%{pid_dir} -%dir %{data_dir} +%attr(750, %{name}, %{name}) %{log_dir} +%attr(750, %{name}, %{name}) %{pid_dir} +%dir %attr(750, %{name}, %{name}) %{data_dir} # Symlinks %{product_dir}/data