Detect and fix improper file ownership on launch (#722)

This commit: - detects a subset of what osquery will consider improper file perms/ownership on the extension binary - tries to fix those errors
kolide · Mar 17, 2021 · e1a9027 · e1a9027
1 parent e70215d
commit e1a9027
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 0 deletions.
diff --git a/pkg/osquery/runtime/runtime.go b/pkg/osquery/runtime/runtime.go
@@ -524,6 +524,15 @@ func (r *Runner) launchOsqueryInstance() error {
 		return errors.Wrap(err, "could not calculate osquery file paths")
 	}
 
+	// The extensions file should be owned by the process's UID or by root.
+	// Osquery will refuse to load the extension otherwise.
+	if err := ensureProperPermissions(o, paths.extensionPath); err != nil {
+		level.Info(o.logger).Log(
+			"msg", "unable to ensure proper permissions on extension path",
+			"err", err,
+		)
+	}
+
 	// Populate augeas lenses, if requested
 	if o.opts.augeasLensFunc != nil {
 		if err := os.MkdirAll(paths.augeasPath, 0755); err != nil {

diff --git a/pkg/osquery/runtime/runtime_helpers.go b/pkg/osquery/runtime/runtime_helpers.go
@@ -3,10 +3,12 @@
 package runtime
 
 import (
+	"os"
 	"os/exec"
 	"path/filepath"
 	"syscall"
 
+	"github.com/go-kit/kit/log/level"
 	"github.com/pkg/errors"
 )
 
@@ -33,3 +35,31 @@ func platformArgs() []string {
 func isExitOk(err error) bool {
 	return false
 }
+
+func ensureProperPermissions(o *OsqueryInstance, path string) error {
+	fd, err := os.Stat(path)
+	if err != nil {
+		return errors.Wrap(err, "stat-ing path")
+	}
+	sys := fd.Sys().(*syscall.Stat_t)
+	isRootOwned := (sys.Uid == 0)
+	isProcOwned := (sys.Uid == uint32(os.Geteuid()))
+
+	if isRootOwned || isProcOwned {
+		return nil
+	}
+
+	level.Info(o.logger).Log(
+		"msg", "unsafe permissions detected on path",
+		"path", path,
+	)
+
+	// chown the path. This could potentially be insecure, since
+	// we're basically chown-ing whatever is there to root, but a certain
+	// level of privilege is needed to place something in the launcher root
+	// directory.
+	if err = os.Chown(path, os.Getuid(), os.Getgid()); err != nil {
+		return errors.Wrap(err, "attempting to chown path")
+	}
+	return nil
+}
diff --git a/pkg/osquery/runtime/runtime_helpers_windows.go b/pkg/osquery/runtime/runtime_helpers_windows.go
@@ -60,3 +60,7 @@ func isExitOk(err error) bool {
 	}
 	return false
 }
+
+func ensureProperPermissions(o *OsqueryInstance, path string) error {
+	return nil
+}