[Fix]: Restrict password file permissions to 600
pam-ipmi is already updated restrict file permission of /etc/key_file
& /etc/ipmi_pass to 600 during creation. But this won't affect when firmware
is updated with nv section preserved or without user credentials getting
changed. This commit will check the file permission on every boot and update
both the files to 600.
Tested:
1. Verified that RMCP+ connection still works after this change
2. Manually set file permission to 777 and restrating ipmid or BMC
will fix the same.
Change-Id: Icfe8af5af918792412fb42e8114fcf859848e1a8
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
diff --git a/user_channel/passwd_mgr.cpp b/user_channel/passwd_mgr.cpp
index 5e0b30d..b2d32e8 100644
--- a/user_channel/passwd_mgr.cpp
+++ b/user_channel/passwd_mgr.cpp
@@ -39,6 +39,9 @@
static const char* encryptKeyFileName = "/etc/key_file";
static const size_t maxKeySize = 8;
+constexpr mode_t modeMask =
+ (S_ISUID | S_ISGID | S_ISVTX | S_IRWXU | S_IRWXG | S_IRWXO);
+
#define META_PASSWD_SIG "=OPENBMC="
/*
@@ -59,9 +62,31 @@
PasswdMgr::PasswdMgr()
{
+ restrictFilesPermission();
initPasswordMap();
}
+void PasswdMgr::restrictFilesPermission(void)
+{
+ struct stat st = {};
+ // Restrict file permission to owner read & write
+ if (stat(passwdFileName, &st) == 0)
+ {
+ if ((st.st_mode & modeMask) != (S_IRUSR | S_IWUSR))
+ {
+ chmod(passwdFileName, S_IRUSR | S_IWUSR);
+ }
+ }
+
+ if (stat(encryptKeyFileName, &st) == 0)
+ {
+ if ((st.st_mode & modeMask) != (S_IRUSR | S_IWUSR))
+ {
+ chmod(encryptKeyFileName, S_IRUSR | S_IWUSR);
+ }
+ }
+}
+
std::string PasswdMgr::getPasswdByUserName(const std::string& userName)
{
checkAndReload();