check permissions on acme.json during startup

Follow-up from #639. At the moment people that were affected by this security issue would still be vulnerable even after upgrading. This patch makes sure permissions are also checked for already existing files. Signed-off-by: Bilal Amarni <bilal.amarni@gmail.com>
2017-01-12 11:04:11 +01:00 · 2017-01-12 11:04:11 +01:00 · 22b97b7214
commit 22b97b7214
parent db68dd3bc1
2 changed files with 18 additions and 3 deletions
--- a/acme/localStore.go
+++ b/acme/localStore.go
@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
+	"os"
 	"sync"

 	"github.com/containous/traefik/cluster"
@ -38,7 +39,21 @@ func (s *LocalStore) Load() (cluster.Object, error) {
 	s.storageLock.Lock()
 	defer s.storageLock.Unlock()
 	account := &Account{}
-	file, err := ioutil.ReadFile(s.file)
+
+	f, err := os.Open(s.file)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+	fi, err := f.Stat()
+	if err != nil {
+		return nil, err
+	}
+	if fi.Mode().Perm()&0077 != 0 {
+		return nil, fmt.Errorf("permissions %o for %s are too open, please use 600", fi.Mode().Perm(), s.file)
+	}
+
+	file, err := ioutil.ReadAll(f)
 	if err != nil {
 		return nil, err
 	}
--- a/server.go
+++ b/server.go
@ -499,7 +499,7 @@ func (server *Server) prepareServer(entryPointName string, router *middlewares.H
 	negroni.UseHandler(router)
 	tlsConfig, err := server.createTLSConfig(entryPointName, entryPoint.TLS, router)
 	if err != nil {
-		log.Errorf("Error creating TLS config %s", err)
+		log.Errorf("Error creating TLS config: %s", err)
 		return nil, err
 	}

@ -517,7 +517,7 @@ func (server *Server) prepareServer(entryPointName string, router *middlewares.H
 		TLSConfig: tlsConfig,
 	}, tlsConfig)
 	if err != nil {
-		log.Errorf("Error hijacking server %s", err)
+		log.Errorf("Error hijacking server: %s", err)
 		return nil, err
 	}
 	return gracefulServer, nil