Create the config backup archive in a safe way

Since the config backup archive contains sensitive information and is
written in world-readable locations (/var/lib by default), it should be
created in a safe way and with strict permissions.

This commit uses a temporary file to tackle two issues: the relaxed
permissions of the archive which respected the umask of the user running
`gnt-cluster upgrade' and a (possible) collision attack using a
pre-created file with the predictable backup filename.

Signed-off-by: Apollon Oikonomopoulos <apoikos@gmail.com>
Reviewed-by: Helga Velroyen <helgav@google.com>

diff --git a/lib/client/gnt_cluster.py b/lib/client/gnt_cluster.py
index 8bb064f..95a7ab7 100644 (file)
--- a/lib/client/gnt_cluster.py
+++ b/lib/client/gnt_cluster.py
@@ -30,6 +30,7 @@ from cStringIO import StringIO
 import os
 import time
 import OpenSSL
+import tempfile
 import itertools
 
 from ganeti.cli import *
@@ -1859,11 +1860,16 @@ def _UpgradeBeforeConfigurationChange(versionstring):
   ToStdout("Backing up configuration as %s" % backuptar)
   if not _RunCommandAndReport(["mkdir", "-p", pathutils.BACKUP_DIR]):
     return (False, rollback)
-  if not _RunCommandAndReport(["tar", "-cf", backuptar,
+
+  # Create the archive in a safe manner, as it contains sensitive
+  # information.
+  (fd, tmp_name) = tempfile.mkstemp(prefix=backuptar, dir=pathutils.BACKUP_DIR)
+  if not _RunCommandAndReport(["tar", "-cf", tmp_name,
                                "--exclude=queue/archive",
                                pathutils.DATA_DIR]):
     return (False, rollback)
 
+  os.rename(tmp_name, backuptar)
   return (True, rollback)