AdGuardHome/internal/permcheck/security_unix.go

//go:build unix

package permcheck

import (
	"context"
	"fmt"
	"io/fs"
	"log/slog"
	"os"
	"path/filepath"

	"github.com/AdguardTeam/golibs/container"
	"github.com/AdguardTeam/golibs/errors"
	"github.com/AdguardTeam/golibs/logutil/slogutil"
)

// entity is a filesystem entity with a path and a flag indicating whether it is
// a directory.
type entity = container.KeyValue[string, bool]

// entities returns a list of filesystem entities that need to be ranged over.
//
// TODO(a.garipov): Put all paths in one place and remove this duplication.
func entities(workDir, dataDir, statsDir, querylogDir, confFilePath string) (ents []entity) {
	ents = []entity{{
		Key:   workDir,
		Value: true,
	}, {
		Key:   confFilePath,
		Value: false,
	}, {
		Key:   dataDir,
		Value: true,
	}, {
		Key:   filepath.Join(dataDir, "filters"),
		Value: true,
	}, {
		Key:   filepath.Join(dataDir, "sessions.db"),
		Value: false,
	}, {
		Key:   filepath.Join(dataDir, "leases.json"),
		Value: false,
	}}

	if dataDir != querylogDir {
		ents = append(ents, entity{
			Key:   querylogDir,
			Value: true,
		})
	}
	ents = append(ents, entity{
		Key:   filepath.Join(querylogDir, "querylog.json"),
		Value: false,
	}, entity{
		Key:   filepath.Join(querylogDir, "querylog.json.1"),
		Value: false,
	})

	if dataDir != statsDir {
		ents = append(ents, entity{
			Key:   statsDir,
			Value: true,
		})
	}
	ents = append(ents, entity{
		Key: filepath.Join(statsDir, "stats.db"),
	})

	return ents
}

// checkPath checks the permissions of a single filesystem entity.  The results
// are logged at the appropriate level.
func checkPath(ctx context.Context, l *slog.Logger, entPath string, want fs.FileMode) {
	l = l.With("path", entPath)

	s, err := os.Stat(entPath)
	if err != nil {
		lvl := slog.LevelError
		if errors.Is(err, os.ErrNotExist) {
			lvl = slog.LevelDebug
		}

		l.Log(ctx, lvl, "checking permissions", slogutil.KeyError, err)

		return
	}

	// TODO(a.garipov): Add a more fine-grained check and result reporting.
	perm := s.Mode().Perm()
	if perm == want {
		return
	}

	permOct, wantOct := fmt.Sprintf("%#o", perm), fmt.Sprintf("%#o", want)
	l.WarnContext(ctx, "found unexpected permissions", "perm", permOct, "want", wantOct)
}

// chmodPath changes the permissions of a single filesystem entity.  The results
// are logged at the appropriate level.
func chmodPath(ctx context.Context, l *slog.Logger, entPath string, fm fs.FileMode) {
	var lvl slog.Level
	var msg string
	args := []any{"path", entPath}

	switch err := os.Chmod(entPath, fm); {
	case err == nil:
		lvl = slog.LevelInfo
		msg = "changed permissions"
	case errors.Is(err, os.ErrNotExist):
		lvl = slog.LevelDebug
		msg = "checking permissions"
		args = append(args, slogutil.KeyError, err)
	default:
		lvl = slog.LevelError
		msg = "cannot change permissions; this can leave your system vulnerable, see " +
			"https://adguard-dns.io/kb/adguard-home/running-securely/#os-service-concerns"
		args = append(args, "target_perm", fmt.Sprintf("%#o", fm), slogutil.KeyError, err)
	}

	l.Log(ctx, lvl, msg, args...)
}
Pull request 2312: 7400 Windows permcheck Updates #7400. Squashed commit of the following: commit f50d7c200de545dc6c8ef70b39208f522033fb90 Merge: 47040a14c 37b16bcf7 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Dec 3 18:09:23 2024 +0300 Merge branch 'master' into 7400-chown-permcheck commit 47040a14cd50bf50429f44eba0acdcf736412b61 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Dec 3 14:26:43 2024 +0300 permcheck: fix nil entries commit e1d21c576d75a903b88db3b7beb82348cdcf60c9 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Mon Dec 2 15:37:58 2024 +0300 permcheck: fix nil owner commit b1fc67c4d189293d0aee90c1905f7f387840643b Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Nov 29 18:07:15 2024 +0300 permcheck: imp doc commit 0b6a71326e249f0923e389aa1f6f164b02802a24 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Nov 29 17:16:24 2024 +0300 permcheck: imp code commit 7dfbeda179d0ddb81db54fa4e0dcff189b400215 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Nov 29 14:28:17 2024 +0300 permcheck: imp code commit 3a5b6aced948a2d09fdae823fc986266c9984b3d Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Thu Nov 28 19:21:03 2024 +0300 all: imp code, docs commit c076c9366934303fa8c5909bd13770e367dca72e Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Thu Nov 28 15:14:06 2024 +0300 permcheck: imp code, docs commit 09e4ae1ba12e195454f1db11fa2f5c9e8e170f06 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Nov 27 19:19:11 2024 +0300 all: implement windows permcheck commit b75ed7d4d30e289b8a99e68e6a5e94ab74cf49cb Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Mon Nov 25 18:01:47 2024 +0300 all: revert permissions 2024-12-03 18:26:00 +03:00			`//go:build unix`

			`package permcheck`

			`import (`
			`"context"`
			`"fmt"`
			`"io/fs"`
			`"log/slog"`
			`"os"`
			`"path/filepath"`

			`"github.com/AdguardTeam/golibs/container"`
			`"github.com/AdguardTeam/golibs/errors"`
			`"github.com/AdguardTeam/golibs/logutil/slogutil"`
			`)`

			`// entity is a filesystem entity with a path and a flag indicating whether it is`
			`// a directory.`
			`type entity = container.KeyValue[string, bool]`

			`// entities returns a list of filesystem entities that need to be ranged over.`
			`//`
			`// TODO(a.garipov): Put all paths in one place and remove this duplication.`
			`func entities(workDir, dataDir, statsDir, querylogDir, confFilePath string) (ents []entity) {`
			`ents = []entity{{`
			`Key: workDir,`
			`Value: true,`
			`}, {`
			`Key: confFilePath,`
			`Value: false,`
			`}, {`
			`Key: dataDir,`
			`Value: true,`
			`}, {`
			`Key: filepath.Join(dataDir, "filters"),`
			`Value: true,`
			`}, {`
			`Key: filepath.Join(dataDir, "sessions.db"),`
			`Value: false,`
			`}, {`
			`Key: filepath.Join(dataDir, "leases.json"),`
			`Value: false,`
			`}}`

			`if dataDir != querylogDir {`
			`ents = append(ents, entity{`
			`Key: querylogDir,`
			`Value: true,`
			`})`
			`}`
			`ents = append(ents, entity{`
			`Key: filepath.Join(querylogDir, "querylog.json"),`
			`Value: false,`
			`}, entity{`
			`Key: filepath.Join(querylogDir, "querylog.json.1"),`
			`Value: false,`
			`})`

			`if dataDir != statsDir {`
			`ents = append(ents, entity{`
			`Key: statsDir,`
			`Value: true,`
			`})`
			`}`
			`ents = append(ents, entity{`
			`Key: filepath.Join(statsDir, "stats.db"),`
			`})`

			`return ents`
			`}`

			`// checkPath checks the permissions of a single filesystem entity. The results`
			`// are logged at the appropriate level.`
			`func checkPath(ctx context.Context, l *slog.Logger, entPath string, want fs.FileMode) {`
			`l = l.With("path", entPath)`

			`s, err := os.Stat(entPath)`
			`if err != nil {`
			`lvl := slog.LevelError`
			`if errors.Is(err, os.ErrNotExist) {`
			`lvl = slog.LevelDebug`
			`}`

			`l.Log(ctx, lvl, "checking permissions", slogutil.KeyError, err)`

			`return`
			`}`

			`// TODO(a.garipov): Add a more fine-grained check and result reporting.`
			`perm := s.Mode().Perm()`
			`if perm == want {`
			`return`
			`}`

			`permOct, wantOct := fmt.Sprintf("%#o", perm), fmt.Sprintf("%#o", want)`
			`l.WarnContext(ctx, "found unexpected permissions", "perm", permOct, "want", wantOct)`
			`}`

			`// chmodPath changes the permissions of a single filesystem entity. The results`
			`// are logged at the appropriate level.`
			`func chmodPath(ctx context.Context, l *slog.Logger, entPath string, fm fs.FileMode) {`
			`var lvl slog.Level`
			`var msg string`
			`args := []any{"path", entPath}`

			`switch err := os.Chmod(entPath, fm); {`
			`case err == nil:`
			`lvl = slog.LevelInfo`
			`msg = "changed permissions"`
			`case errors.Is(err, os.ErrNotExist):`
			`lvl = slog.LevelDebug`
			`msg = "checking permissions"`
			`args = append(args, slogutil.KeyError, err)`
			`default:`
			`lvl = slog.LevelError`
			`msg = "cannot change permissions; this can leave your system vulnerable, see " +`
			`"https://adguard-dns.io/kb/adguard-home/running-securely/#os-service-concerns"`
			`args = append(args, "target_perm", fmt.Sprintf("%#o", fm), slogutil.KeyError, err)`
			`}`

			`l.Log(ctx, lvl, msg, args...)`
			`}`