Commit 9a98bd6f authored by Matthias Gerstner's avatar Matthias Gerstner Committed by patelia
Browse files

state_file_dir: choose safe default mode, make mode configurable

`os.makedirs()` uses default mode 0777 in Python2. Therefore the
protection level of the state_file_dir depends on the inherited umask. A
default mode of 0750 is a good conservative default for this. To allow
admins and system integrators to tune this setting it is configurable
via the new config file setting 'state_file_dir_mode'.

This also requires to adjust test_bootstrap_tls to cover the new config
parent 1e83596b
......@@ -10,6 +10,8 @@
logging_level = INFO
logging_max_bytes = 1048576
logging_file_count = 10
# mode for /var/run/efs in octal
state_file_dir_mode = 750
dns_name_format = {fs_id}.efs.{region}
......@@ -387,12 +387,26 @@ def start_watchdog(init_system):
def create_state_file_dir(config, state_file_dir):
mode = 0o750
mode_str = config.get(CONFIG_SECTION, 'state_file_dir_mode')
mode = int(mode_str, 8)
except ValueError:
logging.warn('Bad state_file_dir_mode "%s" in config file "%s"', mode_str, CONFIG_FILE)
except ConfigParser.NoOptionError:
os.makedirs(state_file_dir, mode)
def bootstrap_tls(config, init_system, dns_name, fs_id, mountpoint, options, state_file_dir=STATE_FILE_DIR):
if not os.path.exists(state_file_dir):
create_state_file_dir(config, state_file_dir)
tls_port = choose_tls_port(config)
options['tlsport'] = tls_port
......@@ -66,6 +66,14 @@ def test_bootstrap_tls_state_file_nonexistent_dir(mocker, tmpdir):
state_file_dir = str(tmpdir.join(tempfile.mktemp()))
def config_get_side_effect(section, field):
if section == mount_efs.CONFIG_SECTION and field == 'state_file_dir_mode':
return '0755'
raise ValueError('Unexpected arguments')
MOCK_CONFIG.get.side_effect = config_get_side_effect
assert not os.path.exists(state_file_dir)
with mount_efs.bootstrap_tls(MOCK_CONFIG, INIT_SYSTEM, DNS_NAME, FS_ID, MOUNT_POINT, {}, state_file_dir):
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment