Fix permissions for resolv.conf and hosts

apostasie · apostasie · commit 750d400537aa · 2024-12-01T23:24:12.000-08:00
WriteFile uses syscall.Open, so permissions are modified by umask, if set. For people using agressive umasks (0077), /etc/resolv.conf will end-up unreadable for non root processes. See #3704 Signed-off-by: apostasie <spam_blackhole@farcloser.world>
diff --git a/pkg/dnsutil/hostsstore/hostsstore.go b/pkg/dnsutil/hostsstore/hostsstore.go
@@ -114,6 +114,10 @@ func (x *hostsStore) Acquire(meta Meta) (err error) {
 		if err = os.WriteFile(loc, []byte{}, 0o644); err != nil {
 			return errors.Join(store.ErrSystemFailure, err)
 		}
+		// See https://www.man7.org/linux/man-pages/man2/open.2.html
+		if err = os.Chmod(loc, 0o644); err != nil {
+			err = errors.Join(store.ErrSystemFailure, err)
+		}
 
 		var content []byte
 		content, err = json.Marshal(meta)
@@ -175,6 +179,10 @@ func (x *hostsStore) AllocHostsFile(id string, content []byte) (location string,
 		if err != nil {
 			err = errors.Join(store.ErrSystemFailure, err)
 		}
+		// See https://www.man7.org/linux/man-pages/man2/open.2.html
+		if err = os.Chmod(loc, 0o644); err != nil {
+			err = errors.Join(store.ErrSystemFailure, err)
+		}
 
 		return err
 	})
@@ -333,6 +341,7 @@ func (x *hostsStore) updateAllHosts() (err error) {
 		if err != nil {
 			log.L.WithError(err).Errorf("failed to write hosts file for %q", entry)
 		}
+		_ = os.Chmod(loc, 0o644)
 	}
 	return nil
 }
diff --git a/pkg/resolvconf/resolvconf.go b/pkg/resolvconf/resolvconf.go
@@ -317,7 +317,13 @@ func Build(path string, dns, dnsSearch, dnsOptions []string) (*File, error) {
 		return nil, err
 	}
 
-	return &File{Content: content.Bytes(), Hash: hash}, os.WriteFile(path, content.Bytes(), 0644)
+	err = os.WriteFile(path, content.Bytes(), 0o644)
+	if err != nil {
+		return nil, err
+	}
+
+	// See https://www.man7.org/linux/man-pages/man2/open.2.html
+	return &File{Content: content.Bytes(), Hash: hash}, os.Chmod(path, 0o644)
 }
 
 func hashData(src io.Reader) (string, error) {

Original file line number	Diff line number	Diff line change
`@@ -114,6 +114,10 @@ func (x *hostsStore) Acquire(meta Meta) (err error) {`
`114`	`114`	`if err = os.WriteFile(loc, []byte{}, 0o644); err != nil {`
`115`	`115`	`return errors.Join(store.ErrSystemFailure, err)`
`116`	`116`	`}`
	`117`	`+ // See https://www.man7.org/linux/man-pages/man2/open.2.html`
	`118`	`+ if err = os.Chmod(loc, 0o644); err != nil {`
	`119`	`+ err = errors.Join(store.ErrSystemFailure, err)`
	`120`	`+ }`
`117`	`121`
`118`	`122`	`var content []byte`
`119`	`123`	`content, err = json.Marshal(meta)`
`@@ -175,6 +179,10 @@ func (x *hostsStore) AllocHostsFile(id string, content []byte) (location string,`
`175`	`179`	`if err != nil {`
`176`	`180`	`err = errors.Join(store.ErrSystemFailure, err)`
`177`	`181`	`}`
	`182`	`+ // See https://www.man7.org/linux/man-pages/man2/open.2.html`
	`183`	`+ if err = os.Chmod(loc, 0o644); err != nil {`
	`184`	`+ err = errors.Join(store.ErrSystemFailure, err)`
	`185`	`+ }`
`178`	`186`
`179`	`187`	`return err`
`180`	`188`	`})`
`@@ -333,6 +341,7 @@ func (x *hostsStore) updateAllHosts() (err error) {`
`333`	`341`	`if err != nil {`
`334`	`342`	`log.L.WithError(err).Errorf("failed to write hosts file for %q", entry)`
`335`	`343`	`}`
	`344`	`+ _ = os.Chmod(loc, 0o644)`
`336`	`345`	`}`
`337`	`346`	`return nil`
`338`	`347`	`}`
Original file line number	Diff line number	Diff line change
`@@ -317,7 +317,13 @@ func Build(path string, dns, dnsSearch, dnsOptions []string) (*File, error) {`
`317`	`317`	`return nil, err`
`318`	`318`	`}`
`319`	`319`
`320`		`- return &File{Content: content.Bytes(), Hash: hash}, os.WriteFile(path, content.Bytes(), 0644)`
	`320`	`+ err = os.WriteFile(path, content.Bytes(), 0o644)`
	`321`	`+ if err != nil {`
	`322`	`+ return nil, err`
	`323`	`+ }`
	`324`	`+`
	`325`	`+ // See https://www.man7.org/linux/man-pages/man2/open.2.html`
	`326`	`+ return &File{Content: content.Bytes(), Hash: hash}, os.Chmod(path, 0o644)`
`321`	`327`	`}`
`322`	`328`
`323`	`329`	`func hashData(src io.Reader) (string, error) {`