Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
f10cb295
Commit
f10cb295
authored
Jun 05, 2024
by
Harrison Affel
Committed by
Brad Davidson
Jun 07, 2024
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
fix typo, use rancher/permissions
Signed-off-by:
Harrison Affel
<
harrisonaffel@gmail.com
>
parent
c0450a2c
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
9 additions
and
172 deletions
+9
-172
go.mod
go.mod
+1
-0
go.sum
go.sum
+2
-2
config.go
pkg/agent/config/config.go
+1
-1
config_windows.go
pkg/agent/config/config_windows.go
+5
-3
acl_windows.go
pkg/agent/util/acl/acl_windows.go
+0
-166
No files found.
go.mod
View file @
f10cb295
...
...
@@ -123,6 +123,7 @@ require (
github.com/prometheus/common v0.49.0
github.com/rancher/dynamiclistener v0.6.0-rc1
github.com/rancher/lasso v0.0.0-20240430201833-6f3def65ffc5
github.com/rancher/permissions v0.0.0-20240523180510-4001d3d637f7
github.com/rancher/remotedialer v0.3.0
github.com/rancher/wharfie v0.6.4
github.com/rancher/wrangler/v3 v3.0.0-rc2
...
...
go.sum
View file @
f10cb295
...
...
@@ -252,8 +252,6 @@ github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2B
github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
github.com/Microsoft/hcsshim v0.11.0 h1:7EFNIY4igHEXUdj1zXgAyU3fLc7QfOKHbkldRVTBdiM=
github.com/Microsoft/hcsshim v0.11.0/go.mod h1:OEthFdQv/AD2RAdzR6Mm1N1KPCztGKDurW1Z8b8VGMM=
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
...
...
@@ -1405,6 +1403,8 @@ github.com/rancher/dynamiclistener v0.6.0-rc1 h1:Emwf9o7PMLdQNv4lvFx7xJKxDuDa4Y6
github.com/rancher/dynamiclistener v0.6.0-rc1/go.mod h1:BIPgJ8xFSUyuTyGvRMVt++S1qjD3+7Ptvq1TXl6hcTM=
github.com/rancher/lasso v0.0.0-20240430201833-6f3def65ffc5 h1:6K4RhfmCy7uxaw9OzCljNLfFcgD/q7SeF+/2gCQ3Tvw=
github.com/rancher/lasso v0.0.0-20240430201833-6f3def65ffc5/go.mod h1:7WkdfPEvWAdnHVioMUkhpZkshJzjDY62ocHVhcbw89M=
github.com/rancher/permissions v0.0.0-20240523180510-4001d3d637f7 h1:0Kg2SGoMeU1ll4xPi4DE0+qNHLFO/U5MwtK0WrIdK+o=
github.com/rancher/permissions v0.0.0-20240523180510-4001d3d637f7/go.mod h1:fsbs0YOsGn1ofPD5p+BuI4qDhbMbSJtTegKt6Ucna+c=
github.com/rancher/remotedialer v0.3.0 h1:y1EO8JCsgZo0RcqTUp6U8FXcBAv27R+TLnWRcpvX1sM=
github.com/rancher/remotedialer v0.3.0/go.mod h1:BwwztuvViX2JrLLUwDlsYt5DiyUwHLlzynRwkZLAY0Q=
github.com/rancher/wharfie v0.6.4 h1:JwYB+q661n8ut/ysgsjKe0P0z6bHCCFoC+29995ME90=
...
...
pkg/agent/config/config.go
View file @
f10cb295
...
...
@@ -205,7 +205,7 @@ func ensureNodePassword(nodePasswordFile string) (string, error) {
return
nodePassword
,
err
}
if
err
=
configureACL
(
nodePassword
);
err
!=
nil
{
if
err
=
configureACL
(
nodePassword
File
);
err
!=
nil
{
return
nodePassword
,
err
}
...
...
pkg/agent/config/config_windows.go
View file @
f10cb295
...
...
@@ -6,10 +6,12 @@ package config
import
(
"path/filepath"
"github.com/k3s-io/k3s/pkg/agent/util/acl"
"github.com/k3s-io/k3s/pkg/cli/cmds"
"github.com/k3s-io/k3s/pkg/daemons/config"
"github.com/pkg/errors"
"github.com/rancher/permissions/pkg/access"
"github.com/rancher/permissions/pkg/acl"
"github.com/rancher/permissions/pkg/sid"
"golang.org/x/sys/windows"
)
...
...
@@ -33,8 +35,8 @@ func configureACL(file string) error {
// as the owner and current user group as the allowed group
// additionally, we define a DACL to permit access to the file to the local system and all administrators
if
err
:=
acl
.
Apply
(
file
,
nil
,
nil
,
[]
windows
.
EXPLICIT_ACCESS
{
ac
l
.
GrantSid
(
windows
.
GENERIC_ALL
,
acl
.
LocalSystemSID
()),
ac
l
.
GrantSid
(
windows
.
GENERIC_ALL
,
acl
.
BuiltinAdministratorsSID
()),
ac
cess
.
GrantSid
(
windows
.
GENERIC_ALL
,
sid
.
LocalSystem
()),
ac
cess
.
GrantSid
(
windows
.
GENERIC_ALL
,
sid
.
BuiltinAdministrators
()),
}
...
);
err
!=
nil
{
return
errors
.
Wrapf
(
err
,
"failed to configure Access Control List For %s"
,
file
)
}
...
...
pkg/agent/util/acl/acl_windows.go
deleted
100644 → 0
View file @
c0450a2c
//go:build windows
// +build windows
package
acl
import
(
"fmt"
"golang.org/x/sys/windows"
"unsafe"
)
// TODO: Remove in favor of the rancher/permissions repository once that is setup
func
BuiltinAdministratorsSID
()
*
windows
.
SID
{
return
mustGetSid
(
windows
.
WinBuiltinAdministratorsSid
)
}
func
LocalSystemSID
()
*
windows
.
SID
{
return
mustGetSid
(
windows
.
WinLocalSystemSid
)
}
func
mustGetSid
(
sidType
windows
.
WELL_KNOWN_SID_TYPE
)
*
windows
.
SID
{
sid
,
err
:=
windows
.
CreateWellKnownSid
(
sidType
)
if
err
!=
nil
{
panic
(
err
)
}
return
sid
}
// GrantSid creates an EXPLICIT_ACCESS instance granting permissions to the provided SID.
func
GrantSid
(
accessPermissions
windows
.
ACCESS_MASK
,
sid
*
windows
.
SID
)
windows
.
EXPLICIT_ACCESS
{
return
windows
.
EXPLICIT_ACCESS
{
AccessPermissions
:
accessPermissions
,
AccessMode
:
windows
.
GRANT_ACCESS
,
Inheritance
:
windows
.
SUB_CONTAINERS_AND_OBJECTS_INHERIT
,
Trustee
:
windows
.
TRUSTEE
{
TrusteeForm
:
windows
.
TRUSTEE_IS_SID
,
TrusteeValue
:
windows
.
TrusteeValueFromSID
(
sid
),
},
}
}
// Apply performs both Chmod and Chown at the same time, where the filemode's owner and group will correspond to
// the provided owner and group (or the current owner and group, if they are set to nil)
func
Apply
(
path
string
,
owner
*
windows
.
SID
,
group
*
windows
.
SID
,
access
...
windows
.
EXPLICIT_ACCESS
)
error
{
if
path
==
""
{
return
fmt
.
Errorf
(
"path cannot be empty"
)
}
return
apply
(
path
,
owner
,
group
,
access
...
)
}
// apply performs a Chmod (if owner and group are provided) and sets a custom ACL based on the provided EXPLICIT_ACCESS rules
// To create EXPLICIT_ACCESS rules, see the helper functions in pkg/access
func
apply
(
path
string
,
owner
*
windows
.
SID
,
group
*
windows
.
SID
,
access
...
windows
.
EXPLICIT_ACCESS
)
error
{
// assemble arguments
args
:=
securityArgs
{
path
:
path
,
owner
:
owner
,
group
:
group
,
access
:
access
,
}
securityInfo
:=
args
.
ToSecurityInfo
()
if
securityInfo
==
0
{
// nothing to change
return
nil
}
dacl
,
err
:=
args
.
ToDACL
()
if
err
!=
nil
{
return
err
}
return
windows
.
SetNamedSecurityInfo
(
path
,
windows
.
SE_FILE_OBJECT
,
securityInfo
,
owner
,
group
,
dacl
,
nil
,
)
}
type
securityArgs
struct
{
path
string
owner
*
windows
.
SID
group
*
windows
.
SID
access
[]
windows
.
EXPLICIT_ACCESS
}
func
(
a
*
securityArgs
)
ToSecurityInfo
()
windows
.
SECURITY_INFORMATION
{
var
securityInfo
windows
.
SECURITY_INFORMATION
if
a
.
owner
!=
nil
{
// override owner
securityInfo
|=
windows
.
OWNER_SECURITY_INFORMATION
}
if
a
.
group
!=
nil
{
// override group
securityInfo
|=
windows
.
GROUP_SECURITY_INFORMATION
}
if
len
(
a
.
access
)
!=
0
{
// override DACL
securityInfo
|=
windows
.
DACL_SECURITY_INFORMATION
securityInfo
|=
windows
.
PROTECTED_DACL_SECURITY_INFORMATION
}
return
securityInfo
}
func
(
a
*
securityArgs
)
ToSecurityAttributes
()
(
*
windows
.
SecurityAttributes
,
error
)
{
// define empty security descriptor
sd
,
err
:=
windows
.
NewSecurityDescriptor
()
if
err
!=
nil
{
return
nil
,
err
}
err
=
sd
.
SetOwner
(
a
.
owner
,
false
)
if
err
!=
nil
{
return
nil
,
err
}
err
=
sd
.
SetGroup
(
a
.
group
,
false
)
if
err
!=
nil
{
return
nil
,
err
}
// define security attributes using descriptor
var
sa
windows
.
SecurityAttributes
sa
.
Length
=
uint32
(
unsafe
.
Sizeof
(
sa
))
sa
.
SecurityDescriptor
=
sd
if
len
(
a
.
access
)
==
0
{
// security attribute should simply inherit parent rules
sa
.
InheritHandle
=
1
return
&
sa
,
nil
}
// apply provided access rules to the DACL
dacl
,
err
:=
a
.
ToDACL
()
if
err
!=
nil
{
return
nil
,
err
}
err
=
sd
.
SetDACL
(
dacl
,
true
,
false
)
if
err
!=
nil
{
return
nil
,
err
}
// set the protected DACL flag to prevent the DACL of the security descriptor from being modified by inheritable ACEs
// (i.e. prevent parent folders from modifying this ACL)
err
=
sd
.
SetControl
(
windows
.
SE_DACL_PROTECTED
,
windows
.
SE_DACL_PROTECTED
)
if
err
!=
nil
{
return
nil
,
err
}
return
&
sa
,
nil
}
func
(
a
*
securityArgs
)
ToDACL
()
(
*
windows
.
ACL
,
error
)
{
if
len
(
a
.
access
)
==
0
{
// No rules were specified
return
nil
,
nil
}
return
windows
.
ACLFromEntries
(
a
.
access
,
nil
)
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment