Make all new metadata files owned by user when needed

Since commit 4c7c6631cc5a ("Set owner of login protectors to correct user"), login protectors are made owned by the user when root creates one on a user's behalf. That's good, but the same isn't true of other files that get created at the same time: - The policy protecting the directory - The protector link file, if the policy is on a different filesystem - The recovery protector, if the policy is on a different filesystem - The recovery instructions file In preparation for setting all metadata files to mode 0600, start making all these files owned by the user in this scenario as well.
author: Eric Biggers <ebiggers@google.com> 2022-02-23 12:35:04 -0800
committer: Eric Biggers <ebiggers@google.com> 2022-02-23 12:35:04 -0800
commit: d4ce0b892cbe68db9f90f4015342e6a9069b079c (patch)
tree: 9934a74b71590b5e4bcd0067391ffe3ec602a77a /filesystem
parent: 85a747493ff368a72f511619ecd391016ecb933c (diff)
2 files changed, 25 insertions, 30 deletions
diff --git a/filesystem/filesystem.go b/filesystem/filesystem.go
index 6e4f2c6..1877b1b 100644
--- a/filesystem/filesystem.go
+++ b/filesystem/filesystem.go
@@ -649,6 +649,8 @@ func (m *Mount) writeData(path string, data []byte, owner *user.User) error {
 		tempFile.Close()
 		return err
 	}
+	// Override the file owner if one was specified.  This happens when root
+	// needs to create files owned by a particular user.
 	if owner != nil {
 		if err = util.Chown(tempFile, owner); err != nil {
 			log.Printf("could not set owner of %q to %v: %v",
@@ -786,7 +788,7 @@ func (m *Mount) removeMetadata(path string) error {
 // will overwrite the value of an existing protector with this descriptor. This
 // will fail with ErrLinkedProtector if a linked protector with this descriptor
 // already exists on the filesystem.
-func (m *Mount) AddProtector(data *metadata.ProtectorData) error {
+func (m *Mount) AddProtector(data *metadata.ProtectorData, owner *user.User) error {
 	var err error
 	if err = m.CheckSetup(nil); err != nil {
 		return err
@@ -796,21 +798,14 @@ func (m *Mount) AddProtector(data *metadata.ProtectorData) error {
 			data.ProtectorDescriptor, m.Path)
 	}
 	path := m.protectorPath(data.ProtectorDescriptor)
-
-	var owner *user.User
-	if data.Source == metadata.SourceType_pam_passphrase && util.IsUserRoot() {
-		owner, err = util.UserFromUID(data.Uid)
-		if err != nil {
-			return err
-		}
-	}
 	return m.addMetadata(path, data, owner)
 }
 
 // AddLinkedProtector adds a link in this filesystem to the protector metadata
 // in the dest filesystem, if one doesn't already exist.  On success, the return
 // value is a nil error and a bool that is true iff the link is newly created.
-func (m *Mount) AddLinkedProtector(descriptor string, dest *Mount, trustedUser *user.User) (bool, error) {
+func (m *Mount) AddLinkedProtector(descriptor string, dest *Mount, trustedUser *user.User,
+	ownerIfCreating *user.User) (bool, error) {
 	if err := m.CheckSetup(trustedUser); err != nil {
 		return false, err
 	}
@@ -843,7 +838,7 @@ func (m *Mount) AddLinkedProtector(descriptor string, dest *Mount, trustedUser *
 	if err != nil {
 		return false, err
 	}
-	return true, m.writeData(linkPath, []byte(newLink), nil)
+	return true, m.writeData(linkPath, []byte(newLink), ownerIfCreating)
 }
 
 // GetRegularProtector looks up the protector metadata by descriptor. This will
@@ -931,12 +926,12 @@ func (m *Mount) ListProtectors(trustedUser *user.User) ([]string, error) {
 }
 
 // AddPolicy adds the policy metadata to the filesystem storage.
-func (m *Mount) AddPolicy(data *metadata.PolicyData) error {
+func (m *Mount) AddPolicy(data *metadata.PolicyData, owner *user.User) error {
 	if err := m.CheckSetup(nil); err != nil {
 		return err
 	}
 
-	return m.addMetadata(m.PolicyPath(data.KeyDescriptor), data, nil)
+	return m.addMetadata(m.PolicyPath(data.KeyDescriptor), data, owner)
 }
 
 // GetPolicy looks up the policy metadata by descriptor.
diff --git a/filesystem/filesystem_test.go b/filesystem/filesystem_test.go
index 92e113b..f74078d 100644
--- a/filesystem/filesystem_test.go
+++ b/filesystem/filesystem_test.go
@@ -253,31 +253,31 @@ func TestAddProtector(t *testing.T) {
 	defer mnt.RemoveAllMetadata()
 
 	protector := getFakeProtector()
-	if err = mnt.AddProtector(protector); err != nil {
+	if err = mnt.AddProtector(protector, nil); err != nil {
 		t.Error(err)
 	}
 
 	// Change the source to bad one, or one that requires hashing costs
 	protector.Source = metadata.SourceType_default
-	if mnt.AddProtector(protector) == nil {
+	if mnt.AddProtector(protector, nil) == nil {
 		t.Error("bad source for a descriptor should make metadata invalid")
 	}
 	protector.Source = metadata.SourceType_custom_passphrase
-	if mnt.AddProtector(protector) == nil {
+	if mnt.AddProtector(protector, nil) == nil {
 		t.Error("protectors using passphrases should require hashing costs")
 	}
 	protector.Source = metadata.SourceType_raw_key
 
 	// Use a bad wrapped key
 	protector.WrappedKey = wrappedPolicyKey
-	if mnt.AddProtector(protector) == nil {
+	if mnt.AddProtector(protector, nil) == nil {
 		t.Error("bad length for protector keys should make metadata invalid")
 	}
 	protector.WrappedKey = wrappedProtectorKey
 
 	// Change the descriptor (to a bad length)
 	protector.ProtectorDescriptor = "abcde"
-	if mnt.AddProtector(protector) == nil {
+	if mnt.AddProtector(protector, nil) == nil {
 		t.Error("bad descriptor length should make metadata invalid")
 	}
 
@@ -292,32 +292,32 @@ func TestAddPolicy(t *testing.T) {
 	defer mnt.RemoveAllMetadata()
 
 	policy := getFakePolicy()
-	if err = mnt.AddPolicy(policy); err != nil {
+	if err = mnt.AddPolicy(policy, nil); err != nil {
 		t.Error(err)
 	}
 
 	// Bad encryption options should make policy invalid
 	policy.Options.Padding = 7
-	if mnt.AddPolicy(policy) == nil {
+	if mnt.AddPolicy(policy, nil) == nil {
 		t.Error("padding not a power of 2 should make metadata invalid")
 	}
 	policy.Options.Padding = 16
 	policy.Options.Filenames = metadata.EncryptionOptions_default
-	if mnt.AddPolicy(policy) == nil {
+	if mnt.AddPolicy(policy, nil) == nil {
 		t.Error("encryption mode not set should make metadata invalid")
 	}
 	policy.Options.Filenames = metadata.EncryptionOptions_AES_256_CTS
 
 	// Use a bad wrapped key
 	policy.WrappedPolicyKeys[0].WrappedKey = wrappedProtectorKey
-	if mnt.AddPolicy(policy) == nil {
+	if mnt.AddPolicy(policy, nil) == nil {
 		t.Error("bad length for policy keys should make metadata invalid")
 	}
 	policy.WrappedPolicyKeys[0].WrappedKey = wrappedPolicyKey
 
 	// Change the descriptor (to a bad length)
 	policy.KeyDescriptor = "abcde"
-	if mnt.AddPolicy(policy) == nil {
+	if mnt.AddPolicy(policy, nil) == nil {
 		t.Error("bad descriptor length should make metadata invalid")
 	}
 }
@@ -331,7 +331,7 @@ func TestSetPolicy(t *testing.T) {
 	defer mnt.RemoveAllMetadata()
 
 	policy := getFakePolicy()
-	if err = mnt.AddPolicy(policy); err != nil {
+	if err = mnt.AddPolicy(policy, nil); err != nil {
 		t.Fatal(err)
 	}
 
@@ -355,7 +355,7 @@ func TestSetProtector(t *testing.T) {
 	defer mnt.RemoveAllMetadata()
 
 	protector := getFakeProtector()
-	if err = mnt.AddProtector(protector); err != nil {
+	if err = mnt.AddProtector(protector, nil); err != nil {
 		t.Fatal(err)
 	}
 
@@ -383,7 +383,7 @@ func TestSpoofedLoginProtector(t *testing.T) {
 
 	// Control case: protector with matching UID should be accepted.
 	protector := getFakeLoginProtector(myUID)
-	if err = mnt.AddProtector(protector); err != nil {
+	if err = mnt.AddProtector(protector, nil); err != nil {
 		t.Fatal(err)
 	}
 	_, err = mnt.GetRegularProtector(protector.ProtectorDescriptor, nil)
@@ -398,7 +398,7 @@ func TestSpoofedLoginProtector(t *testing.T) {
 	// *unless* the process running the tests (and hence the file owner) is
 	// root in which case it should be accepted.
 	protector = getFakeLoginProtector(badUID)
-	if err = mnt.AddProtector(protector); err != nil {
+	if err = mnt.AddProtector(protector, nil); err != nil {
 		t.Fatal(err)
 	}
 	_, err = mnt.GetRegularProtector(protector.ProtectorDescriptor, nil)
@@ -445,19 +445,19 @@ func TestLinkedProtector(t *testing.T) {
 
 	// Add the protector to the first filesystem
 	protector := getFakeProtector()
-	if err = realMnt.AddProtector(protector); err != nil {
+	if err = realMnt.AddProtector(protector, nil); err != nil {
 		t.Fatal(err)
 	}
 
 	// Add the link to the second filesystem
 	var isNewLink bool
-	if isNewLink, err = fakeMnt.AddLinkedProtector(protector.ProtectorDescriptor, realMnt, nil); err != nil {
+	if isNewLink, err = fakeMnt.AddLinkedProtector(protector.ProtectorDescriptor, realMnt, nil, nil); err != nil {
 		t.Fatal(err)
 	}
 	if !isNewLink {
 		t.Fatal("Link was not new")
 	}
-	if isNewLink, err = fakeMnt.AddLinkedProtector(protector.ProtectorDescriptor, realMnt, nil); err != nil {
+	if isNewLink, err = fakeMnt.AddLinkedProtector(protector.ProtectorDescriptor, realMnt, nil, nil); err != nil {
 		t.Fatal(err)
 	}
 	if isNewLink {
author	Eric Biggers <ebiggers@google.com>	2022-02-23 12:35:04 -0800
committer	Eric Biggers <ebiggers@google.com>	2022-02-23 12:35:04 -0800
commit	d4ce0b892cbe68db9f90f4015342e6a9069b079c (patch)
tree	9934a74b71590b5e4bcd0067391ffe3ec602a77a /filesystem
parent	85a747493ff368a72f511619ecd391016ecb933c (diff)