fix: [sc-118372] /var/lib/embedded-cluster is not exec by other non-root user (#1729)

* apply chmod after mkdir for directories in --data-dir

* address code reviews

* add more dir

* update os.MkdirAll in all places

* potentially fix airgap upgrade job

* attempt setting umask 0077 in CI

* use bash to run umask

* remove e2e test in favor of future dryrun test

* set restrictive umask before running a dryrun test

* f

* test that this does not pass without new code

* properly set umask

* return to using new code

* octal prints, no new code

* reenable new code

* check all folders even after failure

* update test to match behavior

* set umask in root command

* return to os.MkdirAll

* printf debugging

* test without setting umask to 077 first

* check if the setting actually stuck

* call umask in each prerun function

* remove debug logs

* check that the kubectl-preflight binary has appropriate permissions

* set umask in main function, improve comments

---------

Co-authored-by: Andrew Lavery <[email protected]>

Author: nvanthao

cmd/installer/cli/install.go

@@ -10,6 +10,7 @@ import (
 	"runtime"
 	"sort"
 	"strings"
+	"syscall"
 	"time"
 
 	"github.com/gosimple/slug"
@@ -171,6 +172,10 @@ func preRunInstall(cmd *cobra.Command, flags *InstallCmdFlags) error {
 		return fmt.Errorf("install command must be run as root")
 	}
 
+	// set the umask to 022 so that we can create files/directories with 755 permissions
+	// this does not return an error - it returns the previous umask
+	_ = syscall.Umask(0o022)
+
 	p, err := parseProxyFlags(cmd)
 	if err != nil {
 		return err

cmd/installer/cli/join.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"os"
 	"strings"
+	"syscall"
 
 	ecv1beta1 "github.com/replicatedhq/embedded-cluster/kinds/apis/v1beta1"
 	"github.com/replicatedhq/embedded-cluster/pkg/addons"
@@ -96,6 +97,10 @@ func preRunJoin(flags *JoinCmdFlags) error {
 
 	flags.isAirgap = flags.airgapBundle != ""
 
+	// set the umask to 022 so that we can create files/directories with 755 permissions
+	// this does not return an error - it returns the previous umask
+	_ = syscall.Umask(0o022)
+
 	return nil
 }
 

cmd/installer/cli/root.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"syscall"
 
 	"github.com/replicatedhq/embedded-cluster/pkg/dryrun"
 	"github.com/replicatedhq/embedded-cluster/pkg/metrics"
@@ -68,6 +69,10 @@ func RootCmd(ctx context.Context, name string) *cobra.Command {
 				metrics.DisableMetrics()
 			}
 
+			// set the umask to 022 so that we can create files/directories with 755 permissions
+			// this does not return an error - it returns the previous umask
+			_ = syscall.Umask(0o022)
+
 			return nil
 		},
 		PersistentPostRunE: func(cmd *cobra.Command, args []string) error {

cmd/installer/main.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"os"
 	"path"
+	"syscall"
 
 	"github.com/mattn/go-isatty"
 	"github.com/replicatedhq/embedded-cluster/cmd/installer/cli"
@@ -19,5 +20,10 @@ func main() {
 
 	name := path.Base(os.Args[0])
 
+	// set the umask to 022 so that we can create files/directories with 755 permissions
+	// this does not return an error - it returns the previous umask
+	// we do this before calling cli.InitAndExecute so that it is set before the process forks
+	_ = syscall.Umask(0o022)
+
 	cli.InitAndExecute(ctx, name)
 }

cmd/local-artifact-mirror/main.go

@@ -19,6 +19,11 @@ func main() {
 
 	name := path.Base(os.Args[0])
 
+	// set the umask to 022 so that we can create files/directories with 755 permissions
+	// this does not return an error - it returns the previous umask
+	// we do this before calling cli.InitAndExecute so that it is set before the process forks
+	_ = syscall.Umask(0o022)
+
 	InitAndExecute(ctx, name)
 }
 

go.mod

@@ -1,6 +1,6 @@
 module github.com/replicatedhq/embedded-cluster
 
-go 1.23.2
+go 1.23.4
 
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.7

operator/pkg/cli/upgrade_job.go

@@ -63,7 +63,7 @@ func UpgradeJobCmd() *cobra.Command {
 
 			airgapChartsPath := ""
 			if in.Spec.AirGap {
-				airgapChartsPath = runtimeconfig.EmbeddedClusterChartsSubDir()
+				airgapChartsPath = runtimeconfig.EmbeddedClusterChartsSubDirNoCreate()
 			}
 
 			hcli, err := helm.NewClient(helm.HelmOptions{

tests/dryrun/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.23-alpine AS build
+FROM golang:1.23.4-alpine AS build
 
 RUN apk add --no-cache ca-certificates curl git make bash
 

tests/dryrun/install_test.go

@@ -7,19 +7,26 @@ import (
 	"os"
 	"path/filepath"
 	"regexp"
+	"syscall"
 	"testing"
 	"time"
 
 	"github.com/replicatedhq/embedded-cluster/pkg/dryrun"
 	"github.com/replicatedhq/embedded-cluster/pkg/helm"
 	"github.com/replicatedhq/embedded-cluster/pkg/kubeutils"
+	"github.com/replicatedhq/embedded-cluster/pkg/runtimeconfig"
 	troubleshootv1beta2 "github.com/replicatedhq/troubleshoot/pkg/apis/troubleshoot/v1beta2"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
 )
 
 func TestDefaultInstallation(t *testing.T) {
+	testDefaultInstallationImpl(t)
+	t.Logf("%s: test complete", time.Now().Format(time.RFC3339))
+}
+
+func testDefaultInstallationImpl(t *testing.T) {
 	hcli := &helm.MockClient{}
 
 	mock.InOrder(
@@ -152,8 +159,6 @@ func TestDefaultInstallation(t *testing.T) {
 	assert.Equal(t, "10.244.0.0/17", k0sConfig.Spec.Network.PodCIDR)
 	assert.Equal(t, "10.244.128.0/17", k0sConfig.Spec.Network.ServiceCIDR)
 	assert.Contains(t, k0sConfig.Spec.API.SANs, "kubernetes.default.svc.cluster.local")
-
-	t.Logf("%s: test complete", time.Now().Format(time.RFC3339))
 }
 
 func TestCustomDataDir(t *testing.T) {
@@ -391,3 +396,36 @@ func TestConfigValuesInstallation(t *testing.T) {
 
 	t.Logf("%s: test complete", time.Now().Format(time.RFC3339))
 }
+
+func TestRestrictiveUmask(t *testing.T) {
+	oldUmask := syscall.Umask(0o077)
+	defer syscall.Umask(oldUmask)
+
+	testDefaultInstallationImpl(t)
+
+	// check that folders created in this test have the right permissions
+	folderList := []string{
+		runtimeconfig.EmbeddedClusterHomeDirectory(),
+		runtimeconfig.EmbeddedClusterBinsSubDir(),
+		runtimeconfig.EmbeddedClusterChartsSubDir(),
+		runtimeconfig.PathToEmbeddedClusterBinary("kubectl-preflight"),
+	}
+	gotFailure := false
+	for _, folder := range folderList {
+		stat, err := os.Stat(folder)
+		if err != nil {
+			t.Logf("failed to stat %s: %v", folder, err)
+			gotFailure = true
+			continue
+		}
+		if stat.Mode().Perm() != 0755 {
+			t.Logf("expected folder %s to have mode 0755, got %O", folder, stat.Mode().Perm())
+			gotFailure = true
+		}
+	}
+	if gotFailure {
+		t.Fatalf("at least one folder had incorrect permissions")
+	}
+
+	t.Logf("%s: test complete", time.Now().Format(time.RFC3339))
+}