Skip to content

Commit f039dcf

Browse files
zhangzujianchangluyi
zhangzujian
authored and
changluyi
committed
cni-server: set cni config file permission to 600 (#5906)
* cni-server: set cni config file permission to 600 Signed-off-by: zhangzujian <[email protected]> * fix Signed-off-by: zhangzujian <[email protected]> --------- Signed-off-by: zhangzujian <[email protected]>
1 parent 2818ee8 commit f039dcf

File tree

1 file changed

+9
-4
lines changed

1 file changed

+9
-4
lines changed

cmd/daemon/cniserver.go

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -194,9 +194,14 @@ func main() {
194194

195195
func mvCNIConf(configDir, configFile, confName string) error {
196196
cniConfPath := filepath.Join(configDir, confName)
197-
if _, err := os.Stat(cniConfPath); err == nil {
198-
klog.Infof("CNI config file %q already exists, skipping copying CNI config file", cniConfPath)
199-
return nil
197+
if info, err := os.Stat(cniConfPath); err == nil {
198+
// File exists, check permissions.
199+
if info.Mode().Perm() == 0o600 {
200+
klog.Infof("CNI config file %q already exists with correct permissions, skipping.", cniConfPath)
201+
return nil
202+
}
203+
klog.Infof("Fixing permission of existing CNI config file %q to 600", cniConfPath)
204+
return os.Chmod(cniConfPath, 0o600)
200205
}
201206

202207
data, err := os.ReadFile(configFile) // #nosec G304
@@ -206,7 +211,7 @@ func mvCNIConf(configDir, configFile, confName string) error {
206211
}
207212

208213
klog.Infof("Installing cni config file %q to %q", configFile, cniConfPath)
209-
return os.WriteFile(cniConfPath, data, 0o644) // #nosec G306
214+
return os.WriteFile(cniConfPath, data, 0o600) // #nosec G306
210215
}
211216

212217
func Retry(attempts, sleep int, f func(configuration *daemon.Configuration) error, ctrl *daemon.Configuration) (err error) {

0 commit comments

Comments
 (0)