Fix permissions for resolv.conf and hosts

apostasie · apostasie · commit f02707c2d893 · 2024-12-01T20:38:12.000-08:00
WriteFile sets permissions before umask is applied. For people using agressive umasks (0077), /etc/resolv.conf will end-up unreadable for non root processes. See #3704 Signed-off-by: apostasie <spam_blackhole@farcloser.world>
diff --git a/pkg/dnsutil/hostsstore/hostsstore.go b/pkg/dnsutil/hostsstore/hostsstore.go
@@ -114,6 +114,9 @@ func (x *hostsStore) Acquire(meta Meta) (err error) {
 		if err = os.WriteFile(loc, []byte{}, 0o644); err != nil {
 			return errors.Join(store.ErrSystemFailure, err)
 		}
+		if err = os.Chmod(loc, 0o644); err != nil {
+			err = errors.Join(store.ErrSystemFailure, err)
+		}
 
 		var content []byte
 		content, err = json.Marshal(meta)
@@ -175,6 +178,9 @@ func (x *hostsStore) AllocHostsFile(id string, content []byte) (location string,
 		if err != nil {
 			err = errors.Join(store.ErrSystemFailure, err)
 		}
+		if err = os.Chmod(loc, 0o644); err != nil {
+			err = errors.Join(store.ErrSystemFailure, err)
+		}
 
 		return err
 	})
@@ -333,6 +339,7 @@ func (x *hostsStore) updateAllHosts() (err error) {
 		if err != nil {
 			log.L.WithError(err).Errorf("failed to write hosts file for %q", entry)
 		}
+		_ = os.Chmod(loc, 0o644)
 	}
 	return nil
 }
diff --git a/pkg/resolvconf/resolvconf.go b/pkg/resolvconf/resolvconf.go
@@ -317,7 +317,12 @@ func Build(path string, dns, dnsSearch, dnsOptions []string) (*File, error) {
 		return nil, err
 	}
 
-	return &File{Content: content.Bytes(), Hash: hash}, os.WriteFile(path, content.Bytes(), 0644)
+	err = os.WriteFile(path, content.Bytes(), 0o644)
+	if err != nil {
+		return nil, err
+	}
+
+	return &File{Content: content.Bytes(), Hash: hash}, os.Chmod(path, 0o644)
 }
 
 func hashData(src io.Reader) (string, error) {

Original file line number	Diff line number	Diff line change
`@@ -114,6 +114,9 @@ func (x *hostsStore) Acquire(meta Meta) (err error) {`
`114`	`114`	`if err = os.WriteFile(loc, []byte{}, 0o644); err != nil {`
`115`	`115`	`return errors.Join(store.ErrSystemFailure, err)`
`116`	`116`	`}`
	`117`	`+ if err = os.Chmod(loc, 0o644); err != nil {`
	`118`	`+ err = errors.Join(store.ErrSystemFailure, err)`
	`119`	`+ }`
`117`	`120`
`118`	`121`	`var content []byte`
`119`	`122`	`content, err = json.Marshal(meta)`
`@@ -175,6 +178,9 @@ func (x *hostsStore) AllocHostsFile(id string, content []byte) (location string,`
`175`	`178`	`if err != nil {`
`176`	`179`	`err = errors.Join(store.ErrSystemFailure, err)`
`177`	`180`	`}`
	`181`	`+ if err = os.Chmod(loc, 0o644); err != nil {`
	`182`	`+ err = errors.Join(store.ErrSystemFailure, err)`
	`183`	`+ }`
`178`	`184`
`179`	`185`	`return err`
`180`	`186`	`})`
`@@ -333,6 +339,7 @@ func (x *hostsStore) updateAllHosts() (err error) {`
`333`	`339`	`if err != nil {`
`334`	`340`	`log.L.WithError(err).Errorf("failed to write hosts file for %q", entry)`
`335`	`341`	`}`
	`342`	`+ _ = os.Chmod(loc, 0o644)`
`336`	`343`	`}`
`337`	`344`	`return nil`
`338`	`345`	`}`
Original file line number	Diff line number	Diff line change
`@@ -317,7 +317,12 @@ func Build(path string, dns, dnsSearch, dnsOptions []string) (*File, error) {`
`317`	`317`	`return nil, err`
`318`	`318`	`}`
`319`	`319`
`320`		`- return &File{Content: content.Bytes(), Hash: hash}, os.WriteFile(path, content.Bytes(), 0644)`
	`320`	`+ err = os.WriteFile(path, content.Bytes(), 0o644)`
	`321`	`+ if err != nil {`
	`322`	`+ return nil, err`
	`323`	`+ }`
	`324`	`+`
	`325`	`+ return &File{Content: content.Bytes(), Hash: hash}, os.Chmod(path, 0o644)`
`321`	`326`	`}`
`322`	`327`
`323`	`328`	`func hashData(src io.Reader) (string, error) {`