Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ovs-pki: Fix file permissions on Windows.
There is no chmod or 'mkdir -m' support on Windows, so setting file
permissions for keys and certificates doesn't actually work.
Implementing them using icacls utility instead.
ovs-pki script currently only uses 0700 and 0750 modes, so only those
(and 0600) are implemented. NTFS ACLs on Windows are fairly different
and more complex in comparison with Unix file permissions, so it's hard
to implement these functions in a generic way. The script will fail if
it will encounter an unknown mode.
0700 is implemented as a F (full access) for 'Creator Owner' with no
other permissions. 0750 has an additional RX (read+execute) for the
'Creator Group'. 0600 is implemented the same as 0700, since it
doesn't matter for this use case to have or not to have an executable
or traversal permissions managed separately from everything else and
it would be a little overly verbose to give all the permissions except
for X.
Inheritance rules are set to (OI)(CI), so the folder itself, subfolders
and files in a folder inherit those ACEs.
'umask' also doesn't work on Windows. Instead, moving the private key
output files to a temporary folder that has restricted access already
configured. The file will inherit these restricted ACEs.
It should not be necessary to set explicit permissions for these
files since moving them within the same volume should preserve ACEs.
However, it might be safer to chmod them directly as well, just in
case. Windows administrators will still have to be careful with
private keys, because file copies do not preserve permissions and
moves to different volumes do not preserve them as well. 'robocopy'
with flags to copy security should be used in these cases. We may
want to re-implement 'mv' with 'robocopy' if that becomes a problem
in the future.
There is one more place where umask is used in the script for
creation of a self-signed certificate, but it is not actually needed
there since the resulted certificate doen't need to be private, so
not changing this part for now.
Tested with running an empty 'make check' in AppVeyor and examining
permissions for files in tests/pki:
Files | Linux | Windows
---------------------+------------+--------------------------------------
controllerca | drwxr-xr-x | NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
switchca | | BUILTIN\Administrators:(I)(OI)(CI)(F)
*ca\certs | | BUILTIN\Users:(I)(OI)(CI)(RX)
*ca\crl | | BUILTIN\Users:(I)(CI)(AD)
*ca\newcerts | | BUILTIN\Users:(I)(CI)(WD)
| | APPVEYOR-VM\appveyor:(I)(F)
| | CREATOR OWNER:(I)(OI)(CI)(IO)(F)
---------------------+------------+--------------------------------------
stamp | -rw-r--r-- | NT AUTHORITY\SYSTEM:(I)(F)
test-cert.pem | | BUILTIN\Administrators:(I)(F)
test-req.pem | | BUILTIN\Users:(I)(RX)
test2-cert.pem | | APPVEYOR-VM\appveyor:(I)(F)
test2-req.pem | |
*ca\ca.cnf | |
*ca\cacert.pem | |
*ca\careq.pem | |
*ca\crlnumber | |
*ca\index.txt* | |
*ca\serial* | |
*ca\newcerts\*.pem | |
---------------------+------------+--------------------------------------
controllerca\private | drwx------ | APPVEYOR-VM\appveyor:(F)
switchca\private | | CREATOR OWNER:(OI)(CI)(IO)(F)
---------------------+------------+--------------------------------------
test-privkey.pem | -rw------- | APPVEYOR-VM\appveyor:(F)
test2-privkey.pem | |
*ca\private\cakey.pem| |
We can see that private folders and keys have only a full access from
their owners. Other files and folders have some extra inherited ACEs
from a containing folder.
Acked-by: Simon Horman <[email protected]>
Acked-by: Alin-Gabriel Serdean <[email protected]>
Signed-off-by: Ilya Maximets <[email protected]>- Loading branch information
