mirror of
https://github.com/tailscale/tailscale.git
synced 2025-01-07 08:07:42 +00:00
ipn, paths: unconditionally attempt to set state dir perms, but only if the state dir is ours
We unconditionally set appropriate perms on the statefile dir. We look at the basename of the statefile dir, and if it is "tailscale", then we set perms as appropriate. Fixes #2925 Updates #2856 Signed-off-by: Aaron Klotz <aaron@tailscale.com>
This commit is contained in:
parent
82117f7a63
commit
21e9f98fc1
@ -170,6 +170,11 @@ func (s *FileStore) String() string { return fmt.Sprintf("FileStore(%q)", s.path
|
|||||||
|
|
||||||
// NewFileStore returns a new file store that persists to path.
|
// NewFileStore returns a new file store that persists to path.
|
||||||
func NewFileStore(path string) (*FileStore, error) {
|
func NewFileStore(path string) (*FileStore, error) {
|
||||||
|
// We unconditionally call this to ensure that our perms are correct
|
||||||
|
if err := paths.MkStateDir(filepath.Dir(path)); err != nil {
|
||||||
|
return nil, fmt.Errorf("creating state directory: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
bs, err := ioutil.ReadFile(path)
|
bs, err := ioutil.ReadFile(path)
|
||||||
|
|
||||||
// Treat an empty file as a missing file.
|
// Treat an empty file as a missing file.
|
||||||
@ -183,9 +188,6 @@ func NewFileStore(path string) (*FileStore, error) {
|
|||||||
if os.IsNotExist(err) {
|
if os.IsNotExist(err) {
|
||||||
// Write out an initial file, to verify that we can write
|
// Write out an initial file, to verify that we can write
|
||||||
// to the path.
|
// to the path.
|
||||||
if err := paths.MkStateDir(filepath.Dir(path)); err != nil {
|
|
||||||
return nil, fmt.Errorf("creating state directory: %w", err)
|
|
||||||
}
|
|
||||||
if err = atomicfile.WriteFile(path, []byte("{}"), 0600); err != nil {
|
if err = atomicfile.WriteFile(path, []byte("{}"), 0600); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -63,9 +63,9 @@ func xdgDataHome() string {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func ensureStateDirPerms(dirPath string) error {
|
func ensureStateDirPerms(dirPath string) error {
|
||||||
// Unfortunately there are currently numerous tests that set up state files
|
if filepath.Base(dirPath) != "tailscale" {
|
||||||
// right off of /tmp, on which Chmod will of course fail. We should fix our
|
return nil
|
||||||
// test harnesses to not do that, at which point we can return an error.
|
}
|
||||||
os.Chmod(dirPath, 0700)
|
|
||||||
return nil
|
return os.Chmod(dirPath, 0700)
|
||||||
}
|
}
|
||||||
|
@ -6,6 +6,8 @@
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"os"
|
"os"
|
||||||
|
"path/filepath"
|
||||||
|
"strings"
|
||||||
"unsafe"
|
"unsafe"
|
||||||
|
|
||||||
"golang.org/x/sys/windows"
|
"golang.org/x/sys/windows"
|
||||||
@ -86,6 +88,9 @@ func ensureStateDirPerms(dirPath string) error {
|
|||||||
if !fi.IsDir() {
|
if !fi.IsDir() {
|
||||||
return os.ErrInvalid
|
return os.ErrInvalid
|
||||||
}
|
}
|
||||||
|
if strings.ToLower(filepath.Base(dirPath)) != "tailscale" {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
// We need the info for our current user as SIDs
|
// We need the info for our current user as SIDs
|
||||||
sids, err := getCurrentUserSids()
|
sids, err := getCurrentUserSids()
|
||||||
|
Loading…
x
Reference in New Issue
Block a user