Commit a89f62e2 authored by Apollon Oikonomopoulos's avatar Apollon Oikonomopoulos Committed by Helga Velroyen
Browse files

Create the config backup archive in a safe way

Since the config backup archive contains sensitive information and is
written in world-readable locations (/var/lib by default), it should be
created in a safe way and with strict permissions.

This commit uses a temporary file to tackle two issues: the relaxed
permissions of the archive which respected the umask of the user running
`gnt-cluster upgrade' and a (possible) collision attack using a
pre-created file with the predictable backup filename.
Signed-off-by: default avatarApollon Oikonomopoulos <>
Reviewed-by: default avatarHelga Velroyen <>
parent 54383918
......@@ -30,6 +30,7 @@ from cStringIO import StringIO
import os
import time
import OpenSSL
import tempfile
import itertools
from ganeti.cli import *
......@@ -1859,11 +1860,16 @@ def _UpgradeBeforeConfigurationChange(versionstring):
ToStdout("Backing up configuration as %s" % backuptar)
if not _RunCommandAndReport(["mkdir", "-p", pathutils.BACKUP_DIR]):
return (False, rollback)
if not _RunCommandAndReport(["tar", "-cf", backuptar,
# Create the archive in a safe manner, as it contains sensitive
# information.
(fd, tmp_name) = tempfile.mkstemp(prefix=backuptar, dir=pathutils.BACKUP_DIR)
if not _RunCommandAndReport(["tar", "-cf", tmp_name,
return (False, rollback)
os.rename(tmp_name, backuptar)
return (True, rollback)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment