Merge pull request #566 from nomis/umask

Add "objectstore.umask" configuration option for file/directory creation
opendnssec · Jan 19, 2021 · 8f5e4e4 · 8f5e4e4
2 parents 378b5b8 + de5bb8a
commit 8f5e4e4
Show file tree

Hide file tree

Showing 40 changed files with 396 additions and 219 deletions.
diff --git a/configure.ac b/configure.ac
@@ -167,6 +167,11 @@ AC_DEFINE_UNQUOTED(
  ["$softhsmtokendir"],
  [The default location of the token directory]
 )
+AC_DEFINE_UNQUOTED(
+ [DEFAULT_UMASK],
+ [0077],
+ [The default file mode creation mask]
+)
 AC_DEFINE_UNQUOTED(
  [DEFAULT_OBJECTSTORE_BACKEND],
  ["file"],

diff --git a/src/bin/util/softhsm2-util.cpp b/src/bin/util/softhsm2-util.cpp
@@ -548,8 +548,9 @@ bool deleteToken(char* serial, char* token)
  bool rv = true;
  std::string basedir = Configuration::i()->getString("directories.tokendir", DEFAULT_TOKENDIR);
  std::string tokendir;
+ int umask = Configuration::i()->getInt("objectstore.umask", DEFAULT_UMASK);
 
- rv = findTokenDirectory(basedir, tokendir, serial, token);
+ rv = findTokenDirectory(basedir, tokendir, umask, serial, token);
 
  if (rv)
  {
@@ -634,7 +635,7 @@ void finalizeSoftHSM()
 }
 
 // Find the token directory
-bool findTokenDirectory(std::string basedir, std::string& tokendir, char* serial, char* label)
+bool findTokenDirectory(std::string basedir, std::string& tokendir, int umask, char* serial, char* label)
 {
  if (serial == NULL && label == NULL)
  {
@@ -693,7 +694,7 @@ bool findTokenDirectory(std::string basedir, std::string& tokendir, char* serial
  memset(paddedTokenLabel, ' ', sizeof(paddedTokenLabel));
 
  // Create a token instance
- ObjectStoreToken* token = ObjectStoreToken::accessToken(basedir, *i);
+ ObjectStoreToken* token = ObjectStoreToken::accessToken(basedir, *i, umask);
 
  if (!token->isValid())
  {

diff --git a/src/bin/util/softhsm2-util.h b/src/bin/util/softhsm2-util.h
@@ -43,7 +43,7 @@ void usage();
 bool checkSetup();
 int initToken(CK_SLOT_ID slotID, char* label, char* soPIN, char* userPIN);
 bool deleteToken(char* serial, char* token);
-bool findTokenDirectory(std::string basedir, std::string& tokendir, char* serial, char* label);
+bool findTokenDirectory(std::string basedir, std::string& tokendir, int umask, char* serial, char* label);
 bool rmdir(std::string path);
 bool rm(std::string path);
 int showSlots();

diff --git a/src/lib/SoftHSM.cpp b/src/lib/SoftHSM.cpp
@@ -545,7 +545,8 @@ CK_RV SoftHSM::C_Initialize(CK_VOID_PTR pInitArgs)
  sessionObjectStore = new SessionObjectStore();
 
  // Load the object store
- objectStore = new ObjectStore(Configuration::i()->getString("directories.tokendir", DEFAULT_TOKENDIR));
+ objectStore = new ObjectStore(Configuration::i()->getString("directories.tokendir", DEFAULT_TOKENDIR),
+ Configuration::i()->getInt("objectstore.umask", DEFAULT_UMASK));
  if (!objectStore->isValid())
  {
  WARNING_MSG("Could not load the object store");

diff --git a/src/lib/common/Configuration.cpp b/src/lib/common/Configuration.cpp
@@ -46,6 +46,7 @@ std::auto_ptr<Configuration> Configuration::instance(NULL);
 const struct config Configuration::valid_config[] = {
  { "directories.tokendir", CONFIG_TYPE_STRING },
  { "objectstore.backend", CONFIG_TYPE_STRING },
+ { "objectstore.umask", CONFIG_TYPE_INT_OCTAL },
  { "log.level", CONFIG_TYPE_STRING },
  { "slots.removable", CONFIG_TYPE_BOOL },
  { "slots.mechanisms", CONFIG_TYPE_STRING },
@@ -107,7 +108,14 @@ int Configuration::getInt(std::string key, int ifEmpty /* = 0 */)
  }
  else
  {
- WARNING_MSG("Missing %s in configuration. Using default value: %i", key.c_str(), ifEmpty);
+ if (getType(key) == CONFIG_TYPE_INT_OCTAL)
+ {
+ WARNING_MSG("Missing %s in configuration. Using default value: 0%o", key.c_str(), ifEmpty);
+ }
+ else
+ {
+ WARNING_MSG("Missing %s in configuration. Using default value: %i", key.c_str(), ifEmpty);
+ }
  return ifEmpty;
  }
 }

diff --git a/src/lib/common/Configuration.h b/src/lib/common/Configuration.h
@@ -43,6 +43,7 @@ enum
  CONFIG_TYPE_UNSUPPORTED,
  CONFIG_TYPE_STRING,
  CONFIG_TYPE_INT,
+ CONFIG_TYPE_INT_OCTAL,
  CONFIG_TYPE_BOOL
 };
 

diff --git a/src/lib/common/SimpleConfigLoader.cpp b/src/lib/common/SimpleConfigLoader.cpp
@@ -155,6 +155,9 @@ bool SimpleConfigLoader::loadConfiguration()
  case CONFIG_TYPE_INT:
  Configuration::i()->setInt(stringName, atoi(stringValue.c_str()));
  break;
+ case CONFIG_TYPE_INT_OCTAL:
+ Configuration::i()->setInt(stringName, strtol(stringValue.c_str(), NULL, 8));
+ break;
  case CONFIG_TYPE_BOOL:
  bool boolValue;
  if (string2bool(stringValue, &boolValue))

diff --git a/src/lib/common/softhsm2.conf.5.in b/src/lib/common/softhsm2.conf.5.in
@@ -46,6 +46,16 @@ objectstore.backend = file
 .fi
 .RE
 .LP
+.SH OBJECTSTORE.UMASK
+The file mode creation mask used by SoftHSM when creating files or directories. This value is in octal.
+This is applied in addition to the process umask and cannot override it.
+.LP
+.RS
+.nf
+objectstore.umask = 0077
+.fi
+.RE
+.LP
 .SH LOG.LEVEL
 The log level which can be set to ERROR, WARNING, INFO or DEBUG.
 .LP

diff --git a/src/lib/common/softhsm2.conf.in b/src/lib/common/softhsm2.conf.in
@@ -2,6 +2,7 @@
 
 directories.tokendir = @softhsmtokendir@
 objectstore.backend = file
+objectstore.umask = 0077
 
 # ERROR, WARNING, INFO, DEBUG
 log.level = ERROR

diff --git a/src/lib/object_store/DB.cpp b/src/lib/object_store/DB.cpp
@@ -704,7 +704,7 @@ bool DB::Result::nextRow()
  * Connection
  **************************/
 
-DB::Connection *DB::Connection::Create(const std::string &dbdir, const std::string &dbname)
+DB::Connection *DB::Connection::Create(const std::string &dbdir, const std::string &dbname, int umask)
 {
  if (dbdir.length() == 0) {
  DB::logError("Connection::Create: database directory parameter dbdir is empty");
@@ -716,13 +716,14 @@ DB::Connection *DB::Connection::Create(const std::string &dbdir, const std::stri
  return NULL;
  }
 
- return new Connection(dbdir,dbname);
+ return new Connection(dbdir, dbname, umask);
 }
 
-DB::Connection::Connection(const std::string &dbdir, const std::string &dbname)
+DB::Connection::Connection(const std::string &dbdir, const std::string &dbname, int umask)
  : _dbdir(dbdir)
  , _dbpath(dbdir + OS_PATHSEP + dbname)
  , _db(NULL)
+ , _umask(umask)
 {
 }
 
@@ -815,7 +816,7 @@ bool DB::Connection::connect(const char *
  )
 {
  // Create and set file permissions if the DB does not exist.
- int fd = open(_dbpath.c_str(), O_CREAT, S_IRUSR | S_IWUSR);
+ int fd = open(_dbpath.c_str(), O_CREAT, (S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH) & ~_umask);
  if (fd == -1)
  {
  DB::logError("Could not open database: %s (errno %i)",

diff --git a/src/lib/object_store/DB.h b/src/lib/object_store/DB.h
@@ -144,7 +144,7 @@ class Result : public Statement {
 // Responsible for connection to the database and for managing prepared statements.
 class Connection {
 public:
- static Connection *Create(const std::string &dbdir, const std::string &dbname);
+ static Connection *Create(const std::string &dbdir, const std::string &dbname, int umask);
  virtual ~Connection();
 
  // value that was passed into dbdir when this connection was created.
@@ -176,8 +176,9 @@ class Connection {
  std::string _dbdir;
  std::string _dbpath;
  sqlite3 *_db;
+ int _umask;
 
- Connection(const std::string &dbdir, const std::string &dbname);
+ Connection(const std::string &dbdir, const std::string &dbname, int umask);
 
  // disable evil constructors
  Connection(const Connection &);

diff --git a/src/lib/object_store/DBToken.cpp b/src/lib/object_store/DBToken.cpp
@@ -59,7 +59,7 @@ const char * const DBTOKEN_FILE = "sqlite3.db";
 const long long DBTOKEN_OBJECT_TOKENINFO = 1;
 
 // Constructor for creating a new token.
-DBToken::DBToken(const std::string &baseDir, const std::string &tokenName, const ByteString &label, const ByteString &serial)
+DBToken::DBToken(const std::string &baseDir, const std::string &tokenName, int umask, const ByteString &label, const ByteString &serial)
  : _connection(NULL), _tokenMutex(NULL)
 {
  std::string tokenDir = baseDir + OS_PATHSEP + tokenName;
@@ -75,7 +75,11 @@ DBToken::DBToken(const std::string &baseDir, const std::string &tokenName, const
  }
 
  // First create the directory for the token, we expect basePath to already exist
- if (mkdir(tokenDir.c_str(), S_IFDIR | S_IRWXU))
+#ifndef _WIN32
+ if (::mkdir(tokenDir.c_str(), S_IFDIR | ((S_IRWXU | S_IRWXG | S_IRWXO) & ~umask)))
+#else
+ if (_mkdir(tokenDir.c_str()))
+#endif
  {
  // Allow the directory to exists already.
  if (errno != EEXIST)
@@ -86,7 +90,7 @@ DBToken::DBToken(const std::string &baseDir, const std::string &tokenName, const
  }
 
  // Create
- _connection = DB::Connection::Create(tokenDir, DBTOKEN_FILE);
+ _connection = DB::Connection::Create(tokenDir, DBTOKEN_FILE, umask);
  if (_connection == NULL)
  {
  ERROR_MSG("Failed to create a database connection for \"%s\"", tokenPath.c_str());
@@ -166,7 +170,7 @@ DBToken::DBToken(const std::string &baseDir, const std::string &tokenName, const
 }
 
 // Constructor for accessing an existing token.
-DBToken::DBToken(const std::string &baseDir, const std::string &tokenName)
+DBToken::DBToken(const std::string &baseDir, const std::string &tokenName, int umask)
  : _connection(NULL), _tokenMutex(NULL)
 {
  std::string tokenDir = baseDir + OS_PATHSEP + tokenName;
@@ -182,7 +186,7 @@ DBToken::DBToken(const std::string &baseDir, const std::string &tokenName)
  fclose(f);
 
  // Create a database connection.
- _connection = DB::Connection::Create(tokenDir, DBTOKEN_FILE);
+ _connection = DB::Connection::Create(tokenDir, DBTOKEN_FILE, umask);
  if (_connection == NULL)
  {
  ERROR_MSG("Failed to create a database connection for \"%s\"", tokenPath.c_str());
@@ -220,7 +224,7 @@ DBToken::DBToken(const std::string &baseDir, const std::string &tokenName)
  // Success!
 }
 
-DBToken *DBToken::createToken(const std::string basePath, const std::string tokenDir, const ByteString &label, const ByteString &serial)
+DBToken *DBToken::createToken(const std::string basePath, const std::string tokenDir, int umask, const ByteString &label, const ByteString &serial)
 {
  Directory baseDir(basePath);
 
@@ -230,12 +234,12 @@ DBToken *DBToken::createToken(const std::string basePath, const std::string toke
  }
 
  // Create the token directory
- if (!baseDir.mkdir(tokenDir))
+ if (!baseDir.mkdir(tokenDir, umask))
  {
  return NULL;
  }
 
- DBToken *token = new DBToken(basePath, tokenDir, label, serial);
+ DBToken *token = new DBToken(basePath, tokenDir, umask, label, serial);
  if (!token->isValid())
  {
  baseDir.rmdir(tokenDir);
@@ -249,9 +253,9 @@ DBToken *DBToken::createToken(const std::string basePath, const std::string toke
  return token;
 }
 
-DBToken *DBToken::accessToken(const std::string &basePath, const std::string &tokenDir)
+DBToken *DBToken::accessToken(const std::string &basePath, const std::string &tokenDir, int umask)
 {
- return new DBToken(basePath, tokenDir);
+ return new DBToken(basePath, tokenDir, umask);
 }
 
 // Destructor

diff --git a/src/lib/object_store/DBToken.h b/src/lib/object_store/DBToken.h
@@ -53,16 +53,16 @@ class DBToken : public ObjectStoreToken
 {
 public:
  // Constructor to create a new token
- DBToken(const std::string &baseDir, const std::string &tokenName, const ByteString& label, const ByteString& serial);
+ DBToken(const std::string &baseDir, const std::string &tokenName, int umask, const ByteString& label, const ByteString& serial);
 
  // Constructor to access an existing token
- DBToken(const std::string &baseDir, const std::string &tokenName);
+ DBToken(const std::string &baseDir, const std::string &tokenName, int umask);
 
  // Create a new token
- static DBToken* createToken(const std::string basePath, const std::string tokenDir, const ByteString& label, const ByteString& serial);
+ static DBToken* createToken(const std::string basePath, const std::string tokenDir, int umask, const ByteString& label, const ByteString& serial);
 
  // Access an existing token
- static DBToken* accessToken(const std::string &basePath, const std::string &tokenDir);
+ static DBToken* accessToken(const std::string &basePath, const std::string &tokenDir, int umask);
 
  // Destructor
  virtual ~DBToken();

diff --git a/src/lib/object_store/Directory.cpp b/src/lib/object_store/Directory.cpp
@@ -222,12 +222,12 @@ bool Directory::refresh()
 }
 
 // Create a new subdirectory
-bool Directory::mkdir(std::string name)
+bool Directory::mkdir(std::string name, int umask)
 {
  std::string fullPath = path + OS_PATHSEP + name;
 
 #ifndef _WIN32
- int rv = ::mkdir(fullPath.c_str(), S_IFDIR | S_IRWXU);
+ int rv = ::mkdir(fullPath.c_str(), S_IFDIR | ((S_IRWXU | S_IRWXG | S_IRWXO) & ~umask));
 #else
  int rv = _mkdir(fullPath.c_str());
 #endif

diff --git a/src/lib/object_store/Directory.h b/src/lib/object_store/Directory.h
@@ -60,7 +60,7 @@ class Directory
  bool refresh();
 
  // Create a new subdirectory
- bool mkdir(std::string name);
+ bool mkdir(std::string name, int umask);
 
  // Delete a subdirectory in the directory
  bool rmdir(std::string name, bool doRefresh = false);

diff --git a/src/lib/object_store/File.cpp b/src/lib/object_store/File.cpp
@@ -64,7 +64,7 @@ enum AttributeKind {
 //
 // N.B.: the create flag only has a function when a file is opened read/write
 // N.B.: the truncate flag only has a function when the create one is true
-File::File(std::string inPath, bool forRead /* = true */, bool forWrite /* = false */, bool create /* = false */, bool truncate /* = true */)
+File::File(std::string inPath, int umask, bool forRead /* = true */, bool forWrite /* = false */, bool create /* = false */, bool truncate /* = true */)
 {
  stream = NULL;
 
@@ -88,7 +88,7 @@ File::File(std::string inPath, bool forRead /* = true */, bool forWrite /* = fal
  if (forRead && forWrite && create) flags |= O_CREAT;
  if (forRead && forWrite && create && truncate) flags |= O_TRUNC;
  // Open the file
- fd = open(path.c_str(), flags, 0600);
+ fd = open(path.c_str(), flags, (S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH) & ~umask);
  if (fd == -1)
  {
  ERROR_MSG("Could not open the file (%s): %s", strerror(errno), path.c_str());

diff --git a/src/lib/object_store/File.h b/src/lib/object_store/File.h
@@ -42,7 +42,7 @@ class File
 {
 public:
  // Constructor
- File(std::string inPath, bool forRead = true, bool forWrite = false, bool create = false, bool truncate = true);
+ File(std::string inPath, int umask, bool forRead = true, bool forWrite = false, bool create = false, bool truncate = true);
 
  // Destructor
  virtual ~File();

diff --git a/src/lib/object_store/Generation.cpp b/src/lib/object_store/Generation.cpp
@@ -35,9 +35,9 @@
 #include "Generation.h"
 
 // Factory
-Generation* Generation::create(const std::string path, bool isToken /* = false */)
+Generation* Generation::create(const std::string path, int umask, bool isToken /* = false */)
 {
- Generation* gen = new Generation(path, isToken);
+ Generation* gen = new Generation(path, umask, isToken);
  if ((gen != NULL) && isToken && (gen->genMutex == NULL))
  {
  delete gen;
@@ -92,7 +92,7 @@ bool Generation::wasUpdated()
  {
  MutexLocker lock(genMutex);
 
- File genFile(path);
+ File genFile(path, umask);
 
  if (!genFile.isValid())
  {
@@ -118,7 +118,7 @@ bool Generation::wasUpdated()
  }
  else
  {
- File objectFile(path);
+ File objectFile(path, umask);
 
  if (!objectFile.isValid())
  {
@@ -151,7 +151,7 @@ void Generation::commit()
  {
  MutexLocker lock(genMutex);
 
- File genFile(path, true, true, true, false);
+ File genFile(path, umask, true, true, true, false);
 
  if (!genFile.isValid())
  {
@@ -241,9 +241,10 @@ void Generation::rollback()
 }
 
 // Constructor
-Generation::Generation(const std::string inPath, bool inIsToken)
+Generation::Generation(const std::string inPath, int inUmask, bool inIsToken)
 {
  path = inPath;
+ umask = inUmask;
  isToken = inIsToken;
  pendingUpdate = false;
  currentValue = 0;