From d97c4972f3edea74075fdab081384982f1162ef4 Mon Sep 17 00:00:00 2001 From: Zach Wasserman Date: Wed, 17 Feb 2021 16:22:27 -0800 Subject: [PATCH] Allow enroll secret to read from file This is needed to be able to secure the enroll secret while maintaining standard file permissions for the macOS launchd plist. Also moves the default directory from /var/lib/fleet/orbit to /var/lib/orbit. --- cmd/orbit/orbit.go | 28 ++++++++++++++++++++++++++-- go.mod | 1 - pkg/packaging/deb.go | 8 ++++---- pkg/packaging/macos.go | 25 +++++++++++++++++++------ pkg/packaging/macos_templates.go | 6 +++--- pkg/update/update.go | 2 +- 6 files changed, 53 insertions(+), 17 deletions(-) diff --git a/cmd/orbit/orbit.go b/cmd/orbit/orbit.go index eb31e759ba..d9f39eb693 100644 --- a/cmd/orbit/orbit.go +++ b/cmd/orbit/orbit.go @@ -6,6 +6,7 @@ import ( "io/ioutil" "os" "path/filepath" + "strings" "time" "github.com/fleetdm/orbit/pkg/constant" @@ -24,7 +25,7 @@ import ( const ( tufURL = "https://tuf.fleetctl.com" certPath = "/tmp/fleet.pem" - defaultRootDir = "/var/lib/fleet/orbit" + defaultRootDir = "/var/lib/orbit" ) func main() { @@ -67,6 +68,11 @@ func main() { Usage: "Enroll secret for authenticating to Fleet server", EnvVars: []string{"ORBIT_ENROLL_SECRET"}, }, + &cli.StringFlag{ + Name: "enroll-secret-path", + Usage: "Path to file containing enroll secret", + EnvVars: []string{"ORBIT_ENROLL_SECRET_PATH"}, + }, &cli.StringFlag{ Name: "osquery-version", Usage: "Version of osquery to use", @@ -84,6 +90,19 @@ func main() { zerolog.SetGlobalLevel(zerolog.DebugLevel) } + if c.String("enroll-secret-path") != "" { + if c.String("enroll-secret") != "" { + return errors.New("enroll-secret and enroll-secret-path may not be specified together") + } + + b, err := ioutil.ReadFile(c.String("enroll-secret-path")) + if err != nil { + return errors.Wrap(err, "read enroll secret file") + } + + c.Set("enroll-secret", strings.TrimSpace(string(b))) + } + if err := os.MkdirAll(c.String("root-dir"), constant.DefaultDirMode); err != nil { return errors.Wrap(err, "initialize root dir") } @@ -164,7 +183,8 @@ func main() { ) } - if enrollSecret := c.String("enroll-secret"); enrollSecret != "" { + enrollSecret := c.String("enroll-secret") + if enrollSecret != "" { options = append(options, osquery.WithEnv([]string{"ENROLL_SECRET=" + enrollSecret}), osquery.WithFlags([]string{"--enroll_secret_env", "ENROLL_SECRET"}), @@ -172,6 +192,10 @@ func main() { } if fleetURL != "" { + if enrollSecret == "" { + return errors.New("enroll secret must be specified to connect to Fleet server") + } + options = append(options, osquery.WithFlags(osquery.FleetFlags(fleetURL)), ) diff --git a/go.mod b/go.mod index 18e032ced4..27bad1d963 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,6 @@ require ( github.com/rs/zerolog v1.20.0 github.com/stretchr/testify v1.6.1 github.com/theupdateframework/go-tuf v0.0.0-20201230183259-aee6270feb55 - github.com/urfave/cli v1.22.5 github.com/urfave/cli/v2 v2.3.0 golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad // indirect ) diff --git a/pkg/packaging/deb.go b/pkg/packaging/deb.go index 13b09bc0c5..d2b600cf6e 100644 --- a/pkg/packaging/deb.go +++ b/pkg/packaging/deb.go @@ -31,7 +31,7 @@ func BuildDeb(opt Options) error { if err := os.MkdirAll(filesystemRoot, constant.DefaultDirMode); err != nil { return errors.Wrap(err, "create root dir") } - orbitRoot := filepath.Join(filesystemRoot, "var", "lib", "fleet", "orbit") + orbitRoot := filepath.Join(filesystemRoot, "var", "lib", "orbit") if err := os.MkdirAll(orbitRoot, constant.DefaultDirMode); err != nil { return errors.Wrap(err, "create orbit dir") } @@ -85,13 +85,13 @@ func BuildDeb(opt Options) error { }, &files.Content{ Source: "orbit", - Destination: "/var/lib/fleet/orbit/orbit", + Destination: "/var/lib/orbit/orbit", FileInfo: &files.ContentFileInfo{ Mode: constant.DefaultExecutableMode, }, }, &files.Content{ - Source: "/var/lib/fleet/orbit/orbit", + Source: "/var/lib/orbit/orbit", Destination: "/usr/local/bin/orbit", Type: "symlink", FileInfo: &files.ContentFileInfo{ @@ -122,7 +122,7 @@ func BuildDeb(opt Options) error { Contents: contents, EmptyFolders: []string{ "/var/log/osquery", - "/var/log/fleet/orbit", + "/var/log/orbit", }, Scripts: nfpm.Scripts{ PostInstall: postInstallPath, diff --git a/pkg/packaging/macos.go b/pkg/packaging/macos.go index 59dcebb532..2481d55a0b 100644 --- a/pkg/packaging/macos.go +++ b/pkg/packaging/macos.go @@ -34,7 +34,7 @@ func BuildPkg(opt Options) error { if err := os.MkdirAll(filesystemRoot, constant.DefaultDirMode); err != nil { return errors.Wrap(err, "create root dir") } - orbitRoot := filepath.Join(filesystemRoot, "var", "lib", "fleet", "orbit") + orbitRoot := filepath.Join(filesystemRoot, "var", "lib", "orbit") if err := os.MkdirAll(orbitRoot, constant.DefaultDirMode); err != nil { return errors.Wrap(err, "create orbit dir") } @@ -75,16 +75,15 @@ func BuildPkg(opt Options) error { if err := writeScripts(opt, tmpDir); err != nil { return errors.Wrap(err, "write postinstall") } + if err := writeSecret(opt, orbitRoot); err != nil { + return errors.Wrap(err, "write enroll secret") + } if opt.StartService { if err := writeLaunchd(opt, filesystemRoot); err != nil { return errors.Wrap(err, "write launchd") } } - if err := copyFile( - "./orbit", - filepath.Join(filesystemRoot, "var", "lib", "fleet", "orbit", "orbit"), - 0755, - ); err != nil { + if err := copyFile("./orbit", filepath.Join(orbitRoot, "orbit"), 0755); err != nil { return errors.Wrap(err, "write orbit") } @@ -155,6 +154,20 @@ func writeScripts(opt Options, rootPath string) error { return nil } +func writeSecret(opt Options, orbitRoot string) error { + // Enroll secret + path := filepath.Join(orbitRoot, "secret") + if err := os.MkdirAll(filepath.Dir(path), constant.DefaultDirMode); err != nil { + return errors.Wrap(err, "mkdir") + } + + if err := ioutil.WriteFile(path, []byte(opt.EnrollSecret), 0600); err != nil { + return errors.Wrap(err, "write file") + } + + return nil +} + func writeLaunchd(opt Options, rootPath string) error { // launchd is the service mechanism on macOS path := filepath.Join(rootPath, "Library", "LaunchDaemons", "com.fleetdm.orbit.plist") diff --git a/pkg/packaging/macos_templates.go b/pkg/packaging/macos_templates.go index c70b7fe8f3..8f656b4959 100644 --- a/pkg/packaging/macos_templates.go +++ b/pkg/packaging/macos_templates.go @@ -33,7 +33,7 @@ var macosDistributionTemplate = template.Must(template.New("").Option("missingke var macosPostinstallTemplate = template.Must(template.New("").Option("missingkey=error").Parse( `#!/bin/bash -ln -sf /var/lib/fleet/orbit/orbit /usr/local/bin/orbit +ln -sf /var/lib/orbit/orbit /usr/local/bin/orbit {{ if .StartService -}} launchctl stop com.fleetdm.orbit @@ -55,7 +55,7 @@ var macosLaunchdTemplate = template.Must(template.New("").Option("missingkey=err com.fleetdm.orbit ProgramArguments - /var/lib/fleet/orbit/orbit + /var/lib/orbit/orbit StandardOutPath /var/log/orbit/orbit.stdout.log @@ -65,7 +65,7 @@ var macosLaunchdTemplate = template.Must(template.New("").Option("missingkey=err {{ if .Insecure }}ORBIT_INSECUREtrue{{ end }} {{ if .FleetURL }}ORBIT_FLEET_URL{{.FleetURL}}{{ end }} - {{ if .EnrollSecret }}ORBIT_ENROLL_SECRET{{.EnrollSecret}}{{ end }} + {{ if .EnrollSecret }}ORBIT_ENROLL_SECRET_PATH/var/lib/orbit/secret{{ end }} KeepAlive RunAtLoad diff --git a/pkg/update/update.go b/pkg/update/update.go index f27c008464..c8e5ad216b 100644 --- a/pkg/update/update.go +++ b/pkg/update/update.go @@ -52,7 +52,7 @@ var ( // DefaultOptions are the default options to use when creating an update // client. DefaultOptions = Options{ - RootDirectory: "/var/fleet", + RootDirectory: "/var/lib/orbit", ServerURL: "https://tuf.fleetctl.com", LocalStore: client.MemoryLocalStore(), InsecureTransport: false,