[MediaWiki-commits] [Gerrit] operations/puppet[production]: tools: have maintain-kubeusers chown $HOME/.kube

Sat, 20 May 2017 13:50:08 -0700 

BryanDavis has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/354839 )

Change subject: tools: have maintain-kubeusers chown $HOME/.kube
......................................................................

tools: have maintain-kubeusers chown $HOME/.kube

Chown the $HOME/.kube directory to the tool account. Also protect the
generate credentials with chattr.

Bug: T165875
Change-Id: I37bc5517ab4bd8b646e0c63d9140c1cc2633e9ea
---
M modules/toollabs/files/maintain-kubeusers
1 file changed, 3 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/39/354839/1

diff --git a/modules/toollabs/files/maintain-kubeusers 
b/modules/toollabs/files/maintain-kubeusers
index a880237..c3d0203 100755
--- a/modules/toollabs/files/maintain-kubeusers
+++ b/modules/toollabs/files/maintain-kubeusers
@@ -254,14 +254,16 @@
     dirpath = os.path.join('/data', 'project', user.name, '.kube')
     path = os.path.join(dirpath, 'config')
     # exist_ok=True is fine here, and not a security issue (Famous last 
words?).
-    # We also keep it owned by root, which is fine.
     os.makedirs(dirpath, mode=0o775, exist_ok=True)
+    os.fchown(f, int(user.id), int(user.id))
     f = os.open(path, os.O_CREAT | os.O_WRONLY | os.O_NOFOLLOW)
     try:
         os.write(f, json.dumps(config, indent=4, 
sort_keys=True).encode('utf-8'))
         # uid == gid
         os.fchown(f, int(user.id), int(user.id))
         os.fchmod(f, 0o400)
+        # Prevent removal or modification of the credentials file by users
+        subprocess.check_output(['/usr/bin/chattr', '+i', file_path])
         logging.info('Write config in %s', path)
     except:
         logging.exception()

-- 
To view, visit https://gerrit.wikimedia.org/r/354839
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I37bc5517ab4bd8b646e0c63d9140c1cc2633e9ea
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BryanDavis <bda...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to