Updated config file permissions (#303)

HarshGandhi-AWS · web-flow · commit bdd08607652b · 2022-07-26T09:58:14.000-07:00
diff --git a/docs/PERMISSIONS.md b/docs/PERMISSIONS.md
@@ -21,11 +21,11 @@ Root Certificate Authority | 644               | **Yes**
 CSR File  | 600               | **Yes**
 Log File  | 600               | **Yes**
 Job Handler | 700               | **Yes**
-Config File | 640               | **Yes**
+Config File | 640               | **Recommended**
+HTTP Proxy Config File | 600           | **Recommended**
 Pub/Sub Files | 600               | **Yes**
 Sensor Pubilsh Pathname Socket | 660               | **Yes**
 PKCS11 Library File | 640               | **Yes**
-HTTP Proxy Config File | 600           | **Yes**
 
 #### Recommended and Required permissions on directories storing respective files
 Directory     | Chmod Permissions | Required |
diff --git a/source/config/Config.cpp b/source/config/Config.cpp
@@ -2556,22 +2556,22 @@ bool Config::ParseConfigFile(const string &file, ConfigFileType configFileType)
     }
 
     string configFileParentDir = FileUtils::ExtractParentDirectory(expandedPath.c_str());
-    FileUtils::ValidateFilePermissions(configFileParentDir, Permissions::CONFIG_DIR, true);
+    FileUtils::ValidateFilePermissions(configFileParentDir, Permissions::CONFIG_DIR, false);
     switch (configFileType)
     {
         case DEVICE_CLIENT_ESSENTIAL_CONFIG:
         {
-            FileUtils::ValidateFilePermissions(expandedPath.c_str(), Permissions::CONFIG_FILE, true);
+            FileUtils::ValidateFilePermissions(expandedPath.c_str(), Permissions::CONFIG_FILE, false);
             break;
         }
         case FLEET_PROVISIONING_RUNTIME_CONFIG:
         {
-            FileUtils::ValidateFilePermissions(expandedPath.c_str(), Permissions::RUNTIME_CONFIG_FILE, true);
+            FileUtils::ValidateFilePermissions(expandedPath.c_str(), Permissions::RUNTIME_CONFIG_FILE, false);
             break;
         }
         case HTTP_PROXY_CONFIG:
         {
-            FileUtils::ValidateFilePermissions(expandedPath.c_str(), Permissions::HTTP_PROXY_CONFIG_FILE, true);
+            FileUtils::ValidateFilePermissions(expandedPath.c_str(), Permissions::HTTP_PROXY_CONFIG_FILE, false);
             break;
         }
         default:
@@ -2608,6 +2608,7 @@ bool Config::ParseConfigFile(const string &file, ConfigFileType configFileType)
         }
         case FLEET_PROVISIONING_RUNTIME_CONFIG:
         {
+            config.LoadFromJson(jsonView);
             break;
         }
         case HTTP_PROXY_CONFIG:
diff --git a/source/config/Config.h b/source/config/Config.h
@@ -45,20 +45,20 @@ namespace Aws
                 static constexpr int LOG_DIR = 745;
                 static constexpr int PUBSUB_DIR = 745;
                 static constexpr int PKCS11_LIB_DIR = 700;
+                static constexpr int SENSOR_PUBLISH_ADDR_DIR = 700;
 
                 /** Files **/
                 static constexpr int PRIVATE_KEY = 600;
                 static constexpr int PUBLIC_CERT = 644;
                 static constexpr int ROOT_CA = 644;
                 static constexpr int CSR_FILE = 600;
                 static constexpr int LOG_FILE = 600;
-                static constexpr int CONFIG_FILE = 644;
-                static constexpr int RUNTIME_CONFIG_FILE = 644;
+                static constexpr int CONFIG_FILE = 640;
+                static constexpr int RUNTIME_CONFIG_FILE = 640;
                 static constexpr int JOB_HANDLER = 700;
                 static constexpr int PUB_SUB_FILES = 600;
                 static constexpr int SAMPLE_SHADOW_FILES = 600;
                 static constexpr int SENSOR_PUBLISH_ADDR_FILE = 660;
-                static constexpr int SENSOR_PUBLISH_ADDR_DIR = 700;
                 static constexpr int PKCS11_LIB_FILE = 640;
                 static constexpr int HTTP_PROXY_CONFIG_FILE = 600;
             };
diff --git a/source/fleetprovisioning/FleetProvisioning.cpp b/source/fleetprovisioning/FleetProvisioning.cpp
@@ -713,8 +713,8 @@ bool FleetProvisioning::ExportRuntimeConfig(
         runtimeDeviceConfig.c_str());
     LOGM_INFO(TAG, "Exported runtime configurations to: %s", file.c_str());
 
-    chmod(file.c_str(), S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
-    FileUtils::ValidateFilePermissions(file.c_str(), Permissions::RUNTIME_CONFIG_FILE, false);
+    chmod(expandedPath.c_str(), S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+    FileUtils::ValidateFilePermissions(expandedPath.c_str(), Permissions::RUNTIME_CONFIG_FILE, false);
     return true;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -2556,22 +2556,22 @@ bool Config::ParseConfigFile(const string &file, ConfigFileType configFileType)`
`2556`	`2556`	`}`
`2557`	`2557`
`2558`	`2558`	`string configFileParentDir = FileUtils::ExtractParentDirectory(expandedPath.c_str());`
`2559`		`- FileUtils::ValidateFilePermissions(configFileParentDir, Permissions::CONFIG_DIR, true);`
	`2559`	`+ FileUtils::ValidateFilePermissions(configFileParentDir, Permissions::CONFIG_DIR, false);`
`2560`	`2560`	`switch (configFileType)`
`2561`	`2561`	`{`
`2562`	`2562`	`case DEVICE_CLIENT_ESSENTIAL_CONFIG:`
`2563`	`2563`	`{`
`2564`		`- FileUtils::ValidateFilePermissions(expandedPath.c_str(), Permissions::CONFIG_FILE, true);`
	`2564`	`+ FileUtils::ValidateFilePermissions(expandedPath.c_str(), Permissions::CONFIG_FILE, false);`
`2565`	`2565`	`break;`
`2566`	`2566`	`}`
`2567`	`2567`	`case FLEET_PROVISIONING_RUNTIME_CONFIG:`
`2568`	`2568`	`{`
`2569`		`- FileUtils::ValidateFilePermissions(expandedPath.c_str(), Permissions::RUNTIME_CONFIG_FILE, true);`
	`2569`	`+ FileUtils::ValidateFilePermissions(expandedPath.c_str(), Permissions::RUNTIME_CONFIG_FILE, false);`
`2570`	`2570`	`break;`
`2571`	`2571`	`}`
`2572`	`2572`	`case HTTP_PROXY_CONFIG:`
`2573`	`2573`	`{`
`2574`		`- FileUtils::ValidateFilePermissions(expandedPath.c_str(), Permissions::HTTP_PROXY_CONFIG_FILE, true);`
	`2574`	`+ FileUtils::ValidateFilePermissions(expandedPath.c_str(), Permissions::HTTP_PROXY_CONFIG_FILE, false);`
`2575`	`2575`	`break;`
`2576`	`2576`	`}`
`2577`	`2577`	`default:`
`@@ -2608,6 +2608,7 @@ bool Config::ParseConfigFile(const string &file, ConfigFileType configFileType)`
`2608`	`2608`	`}`
`2609`	`2609`	`case FLEET_PROVISIONING_RUNTIME_CONFIG:`
`2610`	`2610`	`{`
	`2611`	`+ config.LoadFromJson(jsonView);`
`2611`	`2612`	`break;`
`2612`	`2613`	`}`
`2613`	`2614`	`case HTTP_PROXY_CONFIG:`
Original file line number	Diff line number	Diff line change
`@@ -713,8 +713,8 @@ bool FleetProvisioning::ExportRuntimeConfig(`
`713`	`713`	`runtimeDeviceConfig.c_str());`
`714`	`714`	`LOGM_INFO(TAG, "Exported runtime configurations to: %s", file.c_str());`
`715`	`715`
`716`		`- chmod(file.c_str(), S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);`
`717`		`- FileUtils::ValidateFilePermissions(file.c_str(), Permissions::RUNTIME_CONFIG_FILE, false);`
	`716`	`+ chmod(expandedPath.c_str(), S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);`
	`717`	`+ FileUtils::ValidateFilePermissions(expandedPath.c_str(), Permissions::RUNTIME_CONFIG_FILE, false);`
`718`	`718`	`return true;`
`719`	`719`	`}`
`720`	`720`