check permissions on acme.json during startup
Follow-up from #639. At the moment people that were affected by this security issue would still be vulnerable even after upgrading. This patch makes sure permissions are also checked for already existing files. Signed-off-by: Bilal Amarni <bilal.amarni@gmail.com>
This commit is contained in:
parent
db68dd3bc1
commit
22b97b7214
2 changed files with 18 additions and 3 deletions
|
@ -4,6 +4,7 @@ import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
|
"os"
|
||||||
"sync"
|
"sync"
|
||||||
|
|
||||||
"github.com/containous/traefik/cluster"
|
"github.com/containous/traefik/cluster"
|
||||||
|
@ -38,7 +39,21 @@ func (s *LocalStore) Load() (cluster.Object, error) {
|
||||||
s.storageLock.Lock()
|
s.storageLock.Lock()
|
||||||
defer s.storageLock.Unlock()
|
defer s.storageLock.Unlock()
|
||||||
account := &Account{}
|
account := &Account{}
|
||||||
file, err := ioutil.ReadFile(s.file)
|
|
||||||
|
f, err := os.Open(s.file)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
defer f.Close()
|
||||||
|
fi, err := f.Stat()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if fi.Mode().Perm()&0077 != 0 {
|
||||||
|
return nil, fmt.Errorf("permissions %o for %s are too open, please use 600", fi.Mode().Perm(), s.file)
|
||||||
|
}
|
||||||
|
|
||||||
|
file, err := ioutil.ReadAll(f)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
|
@ -499,7 +499,7 @@ func (server *Server) prepareServer(entryPointName string, router *middlewares.H
|
||||||
negroni.UseHandler(router)
|
negroni.UseHandler(router)
|
||||||
tlsConfig, err := server.createTLSConfig(entryPointName, entryPoint.TLS, router)
|
tlsConfig, err := server.createTLSConfig(entryPointName, entryPoint.TLS, router)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Errorf("Error creating TLS config %s", err)
|
log.Errorf("Error creating TLS config: %s", err)
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -517,7 +517,7 @@ func (server *Server) prepareServer(entryPointName string, router *middlewares.H
|
||||||
TLSConfig: tlsConfig,
|
TLSConfig: tlsConfig,
|
||||||
}, tlsConfig)
|
}, tlsConfig)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Errorf("Error hijacking server %s", err)
|
log.Errorf("Error hijacking server: %s", err)
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
return gracefulServer, nil
|
return gracefulServer, nil
|
||||||
|
|
Loading…
Reference in a new issue