System key: Set permissions to owner read/write only

When generating the sysemkey, the permissions are set to owner read/write only in order to protect the system key. This only works, if the underlying filesystem supports posix permissions. Closes elastic/elasticsearch#516 Original commit: elastic/x-pack-elasticsearch@32d6e1d745
2015-01-02 09:35:32 +01:00 · 2015-01-02 09:35:32 +01:00 · c2493f98d7
parent b4b3101b63
commit c2493f98d7
2 changed files with 41 additions and 2 deletions
--- a/src/main/java/org/elasticsearch/shield/signature/tool/SystemKeyTool.java
+++ b/src/main/java/org/elasticsearch/shield/signature/tool/SystemKeyTool.java
@ -9,6 +9,7 @@ import org.elasticsearch.common.cli.CliTool;
 import org.elasticsearch.common.cli.CliToolConfig;
 import org.elasticsearch.common.cli.Terminal;
 import org.elasticsearch.common.cli.commons.CommandLine;
+import org.elasticsearch.common.collect.Sets;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.shield.signature.InternalSignatureService;
@ -17,6 +18,9 @@ import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.nio.file.StandardOpenOption;
+import java.nio.file.attribute.PosixFileAttributeView;
+import java.nio.file.attribute.PosixFilePermission;
+import java.util.Set;

 import static org.elasticsearch.common.cli.CliToolConfig.Builder.cmd;
 import static org.elasticsearch.common.cli.CliToolConfig.config;
@ -26,6 +30,10 @@ import static org.elasticsearch.common.cli.CliToolConfig.config;
 */
 public class SystemKeyTool extends CliTool {

+    public static final Set<PosixFilePermission> PERMISSION_OWNER_READ_WRITE = Sets.newHashSet(PosixFilePermission.OWNER_READ,
+        PosixFilePermission.OWNER_WRITE);
+
+
    public static void main(String[] args) throws Exception {
        int status = new SystemKeyTool().execute(args);
        System.exit(status);
@ -74,8 +82,15 @@ public class SystemKeyTool extends CliTool {
            byte[] key = InternalSignatureService.generateKey();
            terminal.println("Storing generated key in [%s]", path.toAbsolutePath());
            Files.write(path, key, StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING);
+
+            boolean supportsPosixPermissions = Files.getFileStore(path).supportsFileAttributeView(PosixFileAttributeView.class);
+            if (supportsPosixPermissions) {
+                Files.setPosixFilePermissions(path, PERMISSION_OWNER_READ_WRITE);
+                terminal.println("Ensure the generated key can be read by the user that Elasticsearch runs as, permissions are set to owner read/write only");
+            }
+
            return ExitStatus.OK;
        }
    }

-}
+}
--- a/src/test/java/org/elasticsearch/shield/signature/tool/SystemKeyToolTests.java
+++ b/src/test/java/org/elasticsearch/shield/signature/tool/SystemKeyToolTests.java
@ -12,14 +12,17 @@ import org.elasticsearch.common.io.Streams;
 import org.elasticsearch.common.settings.ImmutableSettings;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
-import org.elasticsearch.shield.signature.InternalSignatureService;
 import org.elasticsearch.shield.ShieldPlugin;
+import org.elasticsearch.shield.signature.InternalSignatureService;
 import org.junit.Before;
 import org.junit.Test;

 import java.io.File;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.nio.file.attribute.PosixFileAttributeView;
+import java.nio.file.attribute.PosixFilePermission;
+import java.util.Set;

 import static org.elasticsearch.shield.signature.tool.SystemKeyTool.Generate;
 import static org.hamcrest.Matchers.*;
@ -93,4 +96,25 @@ public class SystemKeyToolTests extends CliToolTestCase {
        byte[] bytes = Streams.copyToByteArray(path.toFile());
        assertThat(bytes.length, is(InternalSignatureService.KEY_SIZE / 8));
    }
+
+    @Test
+    public void testThatSystemKeyMayOnlyBeReadByOwner() throws Exception {
+        File config = newTempDir();
+        File shieldConfig = new File(config, ShieldPlugin.NAME);
+        shieldConfig.mkdirs();
+        Path path = new File(shieldConfig, "system_key").toPath();
+
+        // no posix file permissions, nothing to test, done here
+        boolean supportsPosixPermissions = Files.getFileStore(shieldConfig.toPath()).supportsFileAttributeView(PosixFileAttributeView.class);
+        assumeTrue("Ignoring because posix file attributes are not supported", supportsPosixPermissions);
+
+        when(env.configFile()).thenReturn(config);
+        Generate generate = new Generate(terminal, null);
+        CliTool.ExitStatus status = generate.execute(ImmutableSettings.EMPTY, env);
+        assertThat(status, is(CliTool.ExitStatus.OK));
+
+        Set<PosixFilePermission> posixFilePermissions = Files.getPosixFilePermissions(path);
+        assertThat(posixFilePermissions, hasSize(2));
+        assertThat(posixFilePermissions, containsInAnyOrder(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE));
+    }
 }