__file: make file uploading and attribute changes more atomic

Fixes ungleich-public/cdist#331

Signed-off-by: Steven Armstrong <steven@armstrong.cc>
This commit is contained in:
Steven Armstrong 2022-04-10 23:52:53 +02:00
parent bd44c023d3
commit 22039284f5
2 changed files with 33 additions and 9 deletions

View file

@ -1,7 +1,7 @@
#!/bin/sh -e
#
# 2011-2012 Nico Schottelius (nico-cdist at schottelius.org)
# 2013 Steven Armstrong (steven-cdist armstrong.cc)
# 2013-2022 Steven Armstrong (steven-cdist armstrong.cc)
#
# This file is part of cdist.
#
@ -89,10 +89,26 @@ if [ "$state_should" = "present" ] || [ "$state_should" = "exists" ]; then
touch "$__object/files/set-attributes"
# upload file to temp location
tempfile_template="${destination}.cdist.XXXXXXXXXX"
upload_destination="$(mktemp -u "${destination}.cdist.XXXXXXXXXX")"
# Yes, we are aware that this is a race condition.
# However:
# a) cdist usually writes to directories that are not user writable
# (probably > 99.9%)
# b) if they are user owned, the user / attacker always wins
# (probably < 0.1%)
# c) the only case which we could improve are tmp directories and we
# don't think managing tmp directories with cdist is a typical case
# ("the rest %)"
cat << DONE
destination_upload="\$($__remote_exec $__target_host "mktemp $tempfile_template")"
$__remote_exec $__target_host test -e $upload_destination && {
echo "Refusing to upload file to existing destination: $upload_destination" >&2
exit 1
}
DONE
# Tell gencode-remote to where we uploaded the file so it can move
# it to its final destination.
echo "$upload_destination" > "$__object/files/upload-destination"
if [ "$upload_file" ]; then
echo upload >> "$__messages_out"
# IPv6 fix
@ -103,12 +119,8 @@ DONE
my_target_host="${__target_host}"
fi
cat << DONE
$__remote_copy "$source" "${my_target_host}:\$destination_upload"
DONE
fi
# move uploaded file into place
cat << DONE
$__remote_exec $__target_host "rm -rf \"$destination\"; mv \"\$destination_upload\" \"$destination\""
$__remote_copy "$source" "${my_target_host}:${upload_destination}"
DONE
fi
fi
fi

View file

@ -1,7 +1,7 @@
#!/bin/sh -e
#
# 2011-2013 Nico Schottelius (nico-cdist at schottelius.org)
# 2013 Steven Armstrong (steven-cdist armstrong.cc)
# 2013-2022 Steven Armstrong (steven-cdist armstrong.cc)
#
# This file is part of cdist.
#
@ -62,6 +62,13 @@ set_mode() {
case "$state_should" in
present|exists)
if [ -f "$__object/files/upload-destination" ]; then
final_destination="$destination"
# We change the 'global' $destination variable here so we can
# change attributes of the new/uploaded file before moving it
# to it's final destination.
destination="$(cat "$__object/files/upload-destination")"
fi
# Note: Mode - needs to happen last as a chown/chgrp can alter mode by
# clearing S_ISUID and S_ISGID bits (see chown(2))
for attribute in group owner mode; do
@ -81,6 +88,11 @@ case "$state_should" in
fi
fi
done
if [ -f "$__object/files/upload-destination" ]; then
# move uploaded file into place
printf 'rm -rf "%s"\n' "$final_destination"
printf 'mv -T "%s" "%s"\n' "$destination" "$final_destination"
fi
if [ -f "$__object/files/set-attributes" ]; then
# set-attributes is created if file is created or uploaded in gencode-local
fire_onchange=1