Check .seed file owner is root on load

elastic · May 3, 2022 · 5922e7b · 5922e7b
1 parent e94ccc7
commit 5922e7b
Showing 1 changed file with 36 additions and 0 deletions.
diff --git a/internal/pkg/agent/vault/seed.go b/internal/pkg/agent/vault/seed.go
@@ -12,12 +12,48 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+
+	"github.com/elastic/elastic-agent-libs/file"
 )
 
 const seedFile = ".seed"
 
+var ErrNonRootFileOwner = errors.New("non-root file owner")
+
+func isFileOwnerRoot(path string) (isOwnerRoot bool, err error) {
+	info, err := os.Stat(path)
+	if err != nil {
+		return false, err
+	}
+
+	stat, err := file.Wrap(info)
+	if err != nil {
+		return false, err
+	}
+
+	uid, _ := stat.UID()
+	gid, _ := stat.GID()
+	if uid == 0 && gid == 0 {
+		return true, nil
+	}
+
+	return false, nil
+}
+
 func getSeed(path string) ([]byte, error) {
 	fp := filepath.Join(path, seedFile)
+
+	isOwnerRoot, err := isFileOwnerRoot(fp)
+	if err != nil {
+		if !errors.Is(err, os.ErrNotExist) {
+			return nil, err
+		}
+	}
+
+	if !isOwnerRoot {
+		return nil, ErrNonRootFileOwner
+	}
+
 	b, err := ioutil.ReadFile(fp)
 
 	if err != nil {