Harden SQLite permissions (#12096)

2024-10-21 01:34:01 +00:00 · 2022-05-02 16:12:45 +02:00 · 2022-05-02 16:12:45 +02:00 · e9fb1e84e2
parent 73239fba42
commit e9fb1e84e2
1 changed files with 23 additions and 2 deletions
--- a/lib/backend/lite/lite.go
+++ b/lib/backend/lite/lite.go
@ -21,6 +21,7 @@ import (
 	"context"
 	"database/sql"
 	"database/sql/driver"
+	"errors"
 	"net/url"
 	"os"
 	"path/filepath"
@ -56,7 +57,10 @@ const (
 const (
 	// defaultDirMode is the mode of the newly created directories that are part
 	// of the Path
-	defaultDirMode os.FileMode = 0770
+	defaultDirMode os.FileMode = 0700
+
+	// dbMode is the mode set on sqlite database files
+	dbMode os.FileMode = 0600

 	// defaultDBFile is the file name of the sqlite db in the directory
 	// specified by Path
@ -197,15 +201,32 @@ func NewWithConfig(ctx context.Context, cfg Config) (*Backend, error) {
 		return nil, trace.Wrap(err)
 	}
 	connectionURI := cfg.ConnectionURI()
+	path := filepath.Join(cfg.Path, defaultDBFile)
 	// Ensure that the path to the root directory exists.
-	err := os.MkdirAll(cfg.Path, defaultDirMode)
+	err := os.MkdirAll(cfg.Path, os.ModeDir|defaultDirMode)
 	if err != nil {
 		return nil, trace.ConvertSystemError(err)
 	}
+
+	setPermissions := false
+	if _, err := os.Stat(path); errors.Is(err, os.ErrNotExist) {
+		setPermissions = true
+	}
+
 	db, err := sql.Open("sqlite3", cfg.ConnectionURI())
 	if err != nil {
 		return nil, trace.Wrap(err, "error opening URI: %v", connectionURI)
 	}
+
+	if setPermissions {
+		// Ensure the database has restrictive access permissions.
+		db.PingContext(ctx)
+		err = os.Chmod(path, dbMode)
+		if err != nil {
+			return nil, trace.ConvertSystemError(err)
+		}
+	}
+
 	// serialize access to sqlite, as we're using immediate transactions anyway,
 	// and in-memory go locks are faster than sqlite locks
 	db.SetMaxOpenConns(1)