topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Set file permissions when creating files 

This isn't a full audit of all places files are created, but it covers most. Intentionally not set them on the image cache, as they're not sensitive.
pull/1842/head
Jake Howard 4 years ago
parent
2c0ec4cdd3
commit
c1dc531317
No known key found for this signature in database GPG Key ID: 57AFB45680EDD477
5 changed files with 40 additions and 18 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 37
      src/api/core/ciphers.rs
  2. 3
      src/api/core/sends.rs
  3. 3
      src/config.rs
  4. 4
      src/main.rs
  5. 11
      src/util.rs

37
src/api/core/ciphers.rs
View File

@ -13,6 +13,7 @@ use crate::{
auth::Headers, auth::Headers,
crypto, crypto,
db::{models::*, DbConn, DbPool}, db::{models::*, DbConn, DbPool},
util::set_file_mode,
CONFIG, CONFIG,
}; };
@ -929,22 +930,26 @@ fn save_attachment(
}; };
path = base_path.join(&file_id); path = base_path.join(&file_id);
let size = let size = match field.data.save().memory_threshold(0).size_limit(size_limit).with_path(&path) {
match field.data.save().memory_threshold(0).size_limit(size_limit).with_path(path.clone()) { SaveResult::Full(SavedData::File(_, size)) => size as i32,
SaveResult::Full(SavedData::File(_, size)) => size as i32, SaveResult::Full(other) => {
SaveResult::Full(other) => { error = Some(format!("Attachment is not a file: {:?}", other));
error = Some(format!("Attachment is not a file: {:?}", other)); return;
return; }
} SaveResult::Partial(_, reason) => {
SaveResult::Partial(_, reason) => { error = Some(format!("Attachment size limit exceeded with this file: {:?}", reason));
error = Some(format!("Attachment size limit exceeded with this file: {:?}", reason)); return;
return; }
} SaveResult::Error(e) => {
SaveResult::Error(e) => { error = Some(format!("Error: {:?}", e));
error = Some(format!("Error: {:?}", e)); return;
return; }
} };
};
if let Err(e) = set_file_mode(&path, 0o600) {
error = Some(format!("Error: {:?}", e));
return;
};
if let Some(attachment) = &mut attachment { if let Some(attachment) = &mut attachment {
// v2 API // v2 API

3
src/api/core/sends.rs
View File

@ -10,6 +10,7 @@ use crate::{
api::{ApiResult, EmptyResult, JsonResult, JsonUpcase, Notify, UpdateType}, api::{ApiResult, EmptyResult, JsonResult, JsonUpcase, Notify, UpdateType},
auth::{Headers, Host}, auth::{Headers, Host},
db::{models::*, DbConn, DbPool}, db::{models::*, DbConn, DbPool},
util::set_file_mode,
CONFIG, CONFIG,
}; };
@ -213,6 +214,8 @@ fn post_send_file(data: Data, content_type: &ContentType, headers: Headers, conn
} }
}; };
set_file_mode(&file_path, 0o600)?;
// Set ID and sizes // Set ID and sizes
let mut data_value: Value = serde_json::from_str(&send.data)?; let mut data_value: Value = serde_json::from_str(&send.data)?;
if let Some(o) = data_value.as_object_mut() { if let Some(o) = data_value.as_object_mut() {

3
src/config.rs
View File

@ -8,7 +8,7 @@ use reqwest::Url;
use crate::{ use crate::{
db::DbConnType, db::DbConnType,
error::Error, error::Error,
util::{get_env, get_env_bool, write_file}, util::{get_env, get_env_bool, set_file_mode, write_file},
}; };
static CONFIG_FILE: Lazy<String> = Lazy::new(|| { static CONFIG_FILE: Lazy<String> = Lazy::new(|| {
@ -692,6 +692,7 @@ impl Config {
//Save to file //Save to file
write_file(&CONFIG_FILE, config_str.as_bytes())?; write_file(&CONFIG_FILE, config_str.as_bytes())?;
set_file_mode(&*CONFIG_FILE, 0o600)?;
Ok(()) Ok(())
} }

4
src/main.rs
View File

@ -32,7 +32,7 @@ mod util;
pub use config::CONFIG; pub use config::CONFIG;
pub use error::{Error, MapResult}; pub use error::{Error, MapResult};
pub use util::is_running_in_docker; pub use util::{is_running_in_docker, set_file_mode};
fn main() { fn main() {
parse_args(); parse_args();
@ -254,6 +254,7 @@ fn check_rsa_keys() -> Result<(), crate::error::Error> {
let priv_key = rsa_key.private_key_to_pem()?; let priv_key = rsa_key.private_key_to_pem()?;
crate::util::write_file(&priv_path, &priv_key)?; crate::util::write_file(&priv_path, &priv_key)?;
set_file_mode(&priv_path, 0o600)?;
info!("Private key created correctly."); info!("Private key created correctly.");
} }
@ -262,6 +263,7 @@ fn check_rsa_keys() -> Result<(), crate::error::Error> {
let pub_key = rsa_key.public_key_to_pem()?; let pub_key = rsa_key.public_key_to_pem()?;
crate::util::write_file(&pub_path, &pub_key)?; crate::util::write_file(&pub_path, &pub_key)?;
set_file_mode(&pub_path, 0o600)?;
info!("Public key created correctly."); info!("Public key created correctly.");
} }

11
src/util.rs
View File

@ -248,6 +248,17 @@ pub fn delete_file(path: &str) -> IOResult<()> {
res res
} }
pub fn set_file_mode<P: AsRef<Path>>(path: P, mode: u32) -> IOResult<()> {
if !cfg!(unix) {
// noop on non-unix
return Ok(());
}
use std::fs::{set_permissions, Permissions};
use std::os::unix::fs::PermissionsExt;
set_permissions(&path, Permissions::from_mode(mode))
}
const UNITS: [&str; 6] = ["bytes", "KB", "MB", "GB", "TB", "PB"]; const UNITS: [&str; 6] = ["bytes", "KB", "MB", "GB", "TB", "PB"];
pub fn get_display_size(size: i32) -> String { pub fn get_display_size(size: i32) -> String {

Write Preview
Loading…
Cancel
Save