From 03d54864137a00562b37d71dc70ab382993bc3bf Mon Sep 17 00:00:00 2001
From: Thomas Roehl <Thomas.Roehl@googlemail.com>
Date: Sat, 21 Dec 2024 03:45:53 +0100
Subject: [PATCH] Add check for configuration files to be owned by user and
 have perm 0600. Fixes #33

---
 cc-metric-collector.go | 50 +++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 49 insertions(+), 1 deletion(-)

diff --git a/cc-metric-collector.go b/cc-metric-collector.go
index 823cb5e..19a3c01 100644
--- a/cc-metric-collector.go
+++ b/cc-metric-collector.go
@@ -3,6 +3,7 @@ package main
 import (
 	"encoding/json"
 	"flag"
+	"fmt"
 	"os"
 	"os/signal"
 	"syscall"
@@ -15,9 +16,9 @@ import (
 	"sync"
 	"time"
 
+	lp "github.com/ClusterCockpit/cc-energy-manager/pkg/cc-message"
 	mr "github.com/ClusterCockpit/cc-metric-collector/internal/metricRouter"
 	cclog "github.com/ClusterCockpit/cc-metric-collector/pkg/ccLogger"
-	lp "github.com/ClusterCockpit/cc-energy-manager/pkg/cc-message"
 	mct "github.com/ClusterCockpit/cc-metric-collector/pkg/multiChanTicker"
 )
 
@@ -42,6 +43,27 @@ func LoadCentralConfiguration(file string, config *CentralConfigFile) error {
 	return err
 }
 
+func ConfigFileCheck(file string) error {
+
+	info, err := os.Stat(file)
+	if err != nil {
+		cclog.Error("Cannot access file", file)
+		return err
+	}
+	uid := info.Sys().(*syscall.Stat_t).Uid
+	perm := info.Mode().Perm()
+	if uid != uint32(os.Getuid()) {
+		err = fmt.Errorf("file %s has a different owner", file)
+		return err
+	}
+	if perm != 0600 {
+		err = fmt.Errorf("file %s has a invalid permissions", file)
+		return err
+	}
+
+	return nil
+}
+
 type RuntimeConfig struct {
 	Interval   time.Duration
 	Duration   time.Duration
@@ -167,6 +189,12 @@ func mainFunc() int {
 		CliArgs:        ReadCli(),
 	}
 
+	err = ConfigFileCheck(rcfg.CliArgs["configfile"])
+	if err != nil {
+		cclog.Error(err.Error())
+		return 1
+	}
+
 	// Load and check configuration
 	err = LoadCentralConfiguration(rcfg.CliArgs["configfile"], &rcfg.ConfigFile)
 	if err != nil {
@@ -208,16 +236,31 @@ func mainFunc() int {
 		cclog.Error("Metric router configuration file must be set")
 		return 1
 	}
+	err = ConfigFileCheck(rcfg.ConfigFile.RouterConfigFile)
+	if err != nil {
+		cclog.Error(err.Error())
+		return 1
+	}
 
 	if len(rcfg.ConfigFile.SinkConfigFile) == 0 {
 		cclog.Error("Sink configuration file must be set")
 		return 1
 	}
+	err = ConfigFileCheck(rcfg.ConfigFile.SinkConfigFile)
+	if err != nil {
+		cclog.Error(err.Error())
+		return 1
+	}
 
 	if len(rcfg.ConfigFile.CollectorConfigFile) == 0 {
 		cclog.Error("Metric collector configuration file must be set")
 		return 1
 	}
+	err = ConfigFileCheck(rcfg.ConfigFile.CollectorConfigFile)
+	if err != nil {
+		cclog.Error(err.Error())
+		return 1
+	}
 
 	// Set log file
 	if logfile := rcfg.CliArgs["logfile"]; logfile != "stderr" {
@@ -260,6 +303,11 @@ func mainFunc() int {
 
 	// Create new receive manager
 	if len(rcfg.ConfigFile.ReceiverConfigFile) > 0 {
+		err = ConfigFileCheck(rcfg.ConfigFile.ReceiverConfigFile)
+		if err != nil {
+			cclog.Error(err.Error())
+			return 1
+		}
 		rcfg.ReceiveManager, err = receivers.New(&rcfg.Sync, rcfg.ConfigFile.ReceiverConfigFile)
 		if err != nil {
 			cclog.Error(err.Error())