Fix insecure permissions

Author: cclerget

cmd/internal/cli/singularity.go

@@ -297,9 +297,21 @@ func handleRemoteConf(remoteConfFile string) {
 // handleConfDir tries to create the user's configuration directory and handles
 // messages and/or errors.
 func handleConfDir(confDir string) {
-	if err := fs.Mkdir(confDir, os.ModePerm); err != nil {
+	if err := fs.Mkdir(confDir, 0700); err != nil {
 		if os.IsExist(err) {
 			sylog.Debugf("%s already exists. Not creating.", confDir)
+			fi, err := os.Stat(confDir)
+			if err != nil {
+				sylog.Fatalf("Failed to retrieve information for %s: %s", confDir, err)
+			}
+			if fi.Mode().Perm() != 0700 {
+				sylog.Debugf("Enforce permission 0700 on %s", confDir)
+				// enforce permission on user configuration directory
+				if err := os.Chmod(confDir, 0700); err != nil {
+					// best effort as chmod could fail for various reasons (eg: readonly FS)
+					sylog.Warningf("Couldn't enforce permission 0700 on %s: %s", confDir, err)
+				}
+			}
 		} else {
 			sylog.Debugf("Could not create %s: %s", confDir, err)
 		}

internal/app/singularity/oci_run_linux.go

@@ -25,7 +25,7 @@ func OciRun(ctx context.Context, containerID string, args *OciArgs) error {
 	if err != nil {
 		return err
 	}
-	if err := os.MkdirAll(dir, 0755); err != nil {
+	if err := os.MkdirAll(dir, 0700); err != nil {
 		return err
 	}
 	args.SyncSocketPath = filepath.Join(dir, "run.sock")

internal/app/singularity/registry.go

@@ -122,7 +122,7 @@ func (l *Library) Pull(ctx context.Context, from, to, arch string) error {
 	if dst != to {
 		os.Remove(to)
 		sylog.Debugf("Copying %s to %s", dst, to)
-		if err := fs.CopyFile(dst, to, 0777); err != nil {
+		if err := fs.CopyFile(dst, to, 0755); err != nil {
 			return fmt.Errorf("cannot copy cache element %s to final destination %s: %w", dst, to, err)
 		}
 	}

internal/pkg/client/cache/dir.go

@@ -269,13 +269,19 @@ func updateCacheSubdir(c *Handle, subdir string) (string, error) {
 }
 
 func initCacheDir(dir string) error {
-	if _, err := os.Stat(dir); os.IsNotExist(err) {
+	if fi, err := os.Stat(dir); os.IsNotExist(err) {
 		sylog.Debugf("Creating cache directory: %s", dir)
-		if err := fs.MkdirAll(dir, 0755); err != nil {
+		if err := fs.MkdirAll(dir, 0700); err != nil {
 			return fmt.Errorf("couldn't create cache directory %v: %v", dir, err)
 		}
 	} else if err != nil {
 		return fmt.Errorf("unable to stat %s: %s", dir, err)
+	} else if fi.Mode().Perm() != 0700 {
+		// enforce permission on cache directory to prevent
+		// potential information leak
+		if err := os.Chmod(dir, 0700); err != nil {
+			return fmt.Errorf("couldn't enforce permission 0700 on %s: %s", dir, err)
+		}
 	}
 
 	return nil

internal/pkg/instance/instance_linux.go

@@ -238,7 +238,7 @@ func (i *File) Update() error {
 	oldumask := syscall.Umask(0)
 	defer syscall.Umask(oldumask)
 
-	if err := os.MkdirAll(path, 0755); err != nil {
+	if err := os.MkdirAll(path, 0700); err != nil {
 		return err
 	}
 	file, err := os.OpenFile(i.Path, os.O_CREATE|os.O_TRUNC|os.O_WRONLY|syscall.O_NOFOLLOW, 0644)
@@ -267,10 +267,10 @@ func SetLogFile(name string, uid int, subDir string) (*os.File, *os.File, error)
 	oldumask := syscall.Umask(0)
 	defer syscall.Umask(oldumask)
 
-	if err := os.MkdirAll(filepath.Dir(stderrPath), 0755); err != nil {
+	if err := os.MkdirAll(filepath.Dir(stderrPath), 0700); err != nil {
 		return nil, nil, err
 	}
-	if err := os.MkdirAll(filepath.Dir(stdoutPath), 0755); err != nil {
+	if err := os.MkdirAll(filepath.Dir(stdoutPath), 0700); err != nil {
 		return nil, nil, err
 	}
 

internal/pkg/plugin/meta.go

@@ -112,7 +112,7 @@ func (m *Meta) config() (*os.File, error) {
 // install installs the plugin represented by m into the destination
 // directory. This should normally only be called in InstallFromSIF.
 func (m *Meta) install(dstdir string) error {
-	if err := os.MkdirAll(m.Path, 0777); err != nil {
+	if err := os.MkdirAll(m.Path, 0755); err != nil {
 		return err
 	}