diff --git a/orbit/changes/11218-nudge-config-permissinos b/orbit/changes/11218-nudge-config-permissinos new file mode 100644 index 0000000000..f22364b548 --- /dev/null +++ b/orbit/changes/11218-nudge-config-permissinos @@ -0,0 +1 @@ +* Fixed an issue preventing Nudge to read the configuration file delivered by Fleet on some installations. This only affects you if Nudge was enabled and configured on a host using Orbit v1.8.0 diff --git a/orbit/pkg/update/nudge.go b/orbit/pkg/update/nudge.go index 32f82e95ac..a45e1fe255 100644 --- a/orbit/pkg/update/nudge.go +++ b/orbit/pkg/update/nudge.go @@ -17,6 +17,7 @@ import ( ) const nudgeConfigFile = "nudge-config.json" +const nudgeConfigFileMode = os.FileMode(constant.DefaultWorldReadableFileMode) // NudgeConfigFetcher is a kind of middleware that wraps an OrbitConfigFetcher and a Runner. // It checks the config supplied by the wrapped OrbitConfigFetcher to detects whether the Fleet @@ -135,6 +136,17 @@ func (n *NudgeConfigFetcher) configure(nudgeCfg fleet.NudgeConfig) error { return err } + // ensure the config file has the right permissions, a call to + // WriteFile preserves existing permissions if the file already exists, + // and previous versions of orbit set the permissions of this file to + // constant.DefaultFileMode. + if fileInfo.Mode() != nudgeConfigFileMode { + log.Info().Msgf("%s config file had wrong permissions (%v) setting permissions to %v", cfgFile, fileInfo.Mode(), nudgeConfigFileMode) + if err := os.Chmod(cfgFile, nudgeConfigFileMode); err != nil { + return fmt.Errorf("ensuring permissions of config file, chmod %q: %w", cfgFile, err) + } + } + // this not only an optimization, but mostly a safeguard: if the file // has been tampered and contains very large contents, we don't // want to load them into memory. diff --git a/orbit/pkg/update/nudge_test.go b/orbit/pkg/update/nudge_test.go index 0a6e09e24b..16ac27d684 100644 --- a/orbit/pkg/update/nudge_test.go +++ b/orbit/pkg/update/nudge_test.go @@ -7,6 +7,7 @@ import ( "testing" "time" + "github.com/fleetdm/fleet/v4/orbit/pkg/constant" "github.com/fleetdm/fleet/v4/server/fleet" "github.com/stretchr/testify/require" "github.com/stretchr/testify/suite" @@ -45,6 +46,7 @@ func (s *nudgeTestSuite) TestNudgeConfigFetcherAddNudge() { Interval: interval, runNudgeFn: runNudgeFn, }) + configPath := filepath.Join(tmpDir, nudgeConfigFile) // nudge is not added to targets if nudge config is not present cfg.NudgeConfig = nil @@ -105,7 +107,7 @@ func (s *nudgeTestSuite) TestNudgeConfigFetcherAddNudge() { gotCfg, err = f.GetConfig() require.NoError(t, err) require.Equal(t, cfg, gotCfg) - configBytes, err := os.ReadFile(filepath.Join(tmpDir, nudgeConfigFile)) + configBytes, err := os.ReadFile(configPath) require.NoError(t, err) var savedConfig fleet.NudgeConfig err = json.Unmarshal(configBytes, &savedConfig) @@ -117,7 +119,24 @@ func (s *nudgeTestSuite) TestNudgeConfigFetcherAddNudge() { gotCfg, err = f.GetConfig() require.NoError(t, err) require.Equal(t, cfg, gotCfg) - configBytes, err = os.ReadFile(filepath.Join(tmpDir, nudgeConfigFile)) + configBytes, err = os.ReadFile(configPath) + require.NoError(t, err) + savedConfig = fleet.NudgeConfig{} + err = json.Unmarshal(configBytes, &savedConfig) + require.NoError(t, err) + require.Equal(t, cfg.NudgeConfig, &savedConfig) + + // config permissions are always validated and set to the right value + err = os.Chmod(configPath, constant.DefaultFileMode) + require.NoError(t, err) + gotCfg, err = f.GetConfig() + require.NoError(t, err) + require.Equal(t, cfg, gotCfg) + fileInfo, err := os.Stat(configPath) + require.NoError(t, err) + require.Equal(t, fileInfo.Mode(), nudgeConfigFileMode) + + configBytes, err = os.ReadFile(configPath) require.NoError(t, err) savedConfig = fleet.NudgeConfig{} err = json.Unmarshal(configBytes, &savedConfig)