Skip to content

Set Linux file‑mode for more restrictive permissions #346

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ZhidongPeng merged 4 commits into from
May 21, 2026
Merged

Set Linux file‑mode for more restrictive permissions #346

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d99f7db
Set Linux file‑mode for more restrictive permissions
May 13, 2026
30d9580
Merge branch 'dev' into file
ZhidongPeng May 19, 2026
652d446
set file permissions when write status file success intead
May 21, 2026
2e9d112
Merge branch 'dev' into file
ZhidongPeng May 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 15 additions & 1 deletion proxy_agent/src/key_keeper.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -935,7 +935,21 @@ impl KeyKeeper {
key_file.display(),
e
)))
})
})?;

#[cfg(not(windows))]
{
// set the file permissions to 600 for non-windows platform
proxy_agent_shared::linux::set_file_permissions(&key_file, 0o600).map_err(|e| {
Error::Key(KeyErrorType::StoreLocalKey(format!(
"set_file_permissions '{}' failed {}",
key_file.display(),
e
)))
})?;
}

Ok(())
}
}

Expand Down
25 changes: 24 additions & 1 deletion proxy_agent/src/provision.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -435,11 +435,21 @@ async fn write_provision_state(
}

if let Err(e) = std::fs::write(
provisioned_file,
&provisioned_file,
misc_helpers::get_date_time_string_with_milliseconds(),
) {
logger::write_error(format!("Failed to write provisioned file with error: {e}"));
}
#[cfg(not(windows))]
{
proxy_agent_shared::linux::set_file_permissions(&provisioned_file, 0o600).unwrap_or_else(
|e| {
logger::write_error(format!(
"Failed to set provisioned file permission to 600 with error: {e}"
));
},
);
}

let mut failed_state_message =
get_provision_failed_state_message(provision_shared_state, agent_status_shared_state).await;
Expand Down Expand Up @@ -484,6 +494,19 @@ async fn write_provision_state(
logger::write_error(format!("Failed to write temp status file with error: {e}"));
}
}

#[cfg(not(windows))]
{
proxy_agent_shared::linux::set_file_permissions(
&provision_dir.join(STATUS_TAG_FILE_NAME),
0o600,
)
.unwrap_or_else(|e| {
logger::write_error(format!(
"Failed to set status file permission to 600 with error: {e}"
));
});
}
}

/// Get provision failed state message
Expand Down
10 changes: 10 additions & 0 deletions proxy_agent/src/proxy_agent_status.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -297,6 +297,16 @@ impl ProxyAgentStatusTask {
))
.await;
} else {
#[cfg(not(windows))]
{
proxy_agent_shared::linux::set_file_permissions(&full_file_path, 0o640)
Comment thread
ZhidongPeng marked this conversation as resolved.
.unwrap_or_else(|e| {
logger::write_error(format!(
"Failed to set status.json file permission to 640 with error: {e}"
));
});
}

// need overwrite the status message to indicate the status file is written successfully
self.update_agent_status_message(format!(
"Aggregate status written to status file: {}",
Expand Down
36 changes: 33 additions & 3 deletions proxy_agent_setup/src/linux.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,16 +12,31 @@ const EBPF_FILE: &str = "ebpf_cgroup.o";
const CONFIG_PATH: &str = "/etc/azure/proxy-agent.json";
const EBPF_PATH: &str = "/usr/lib/azure-proxy-agent/ebpf_cgroup.o";

pub fn setup_service(service_name: &str, service_file_dir: PathBuf) -> Result<u64> {
pub fn setup_service(service_name: &str, service_file_dir: PathBuf) -> Result<()> {
copy_service_config_file(service_name, service_file_dir)
}

fn copy_service_config_file(service_name: &str, service_file_dir: PathBuf) -> Result<u64> {
fn copy_service_config_file(service_name: &str, service_file_dir: PathBuf) -> Result<()> {
let service_config_name = format!("{service_name}.service");
let src_config_file_path = service_file_dir.join(&service_config_name);
let dst_config_file_path = PathBuf::from(proxy_agent_shared::linux::SERVICE_CONFIG_FOLDER_PATH)
.join(&service_config_name);
fs::copy(src_config_file_path, dst_config_file_path).map_err(Into::into)
fs::copy(src_config_file_path, &dst_config_file_path).map_err(|e| {
std::io::Error::other(format!(
"Failed to copy service config file to {dst_config_file_path:?} with error: {e}"
))
})?;
// set the file permissions to 644 for the service config unit file
proxy_agent_shared::linux::set_file_permissions(&dst_config_file_path, 0o644).map_err(|e| {
std::io::Error::other(format!(
"Failed to set file permissions for {dst_config_file_path:?} with error: {e}"
))
})?;

logger::write(format!(
"Copied service config file to {dst_config_file_path:?}"
));
Ok(())
}

fn backup_service_config_file(backup_folder: PathBuf) {
Expand Down Expand Up @@ -94,7 +109,22 @@ pub fn copy_files(src_folder: PathBuf) {
src_folder.join("azure-proxy-agent"),
dst_folder.join("azure-proxy-agent"),
);
// set the file permissions to 755 for the azure-proxy-agent binary
proxy_agent_shared::linux::set_file_permissions(&dst_folder.join("azure-proxy-agent"), 0o755)
.unwrap_or_else(|e| {
logger::write_error(format!(
"Failed to set azure-proxy-agent file permission to 755 with error: {e}"
));
});

copy_file(src_folder.join(CONFIG_FILE), PathBuf::from(CONFIG_PATH));
proxy_agent_shared::linux::set_file_permissions(&PathBuf::from(CONFIG_PATH), 0o644)
.unwrap_or_else(|e| {
logger::write_error(format!(
"Failed to set config file permission to 644 with error: {e}"
));
});

copy_file(src_folder.join(EBPF_FILE), PathBuf::from(EBPF_PATH));
}

Expand Down
20 changes: 20 additions & 0 deletions proxy_agent_shared/src/linux.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,9 +174,18 @@ pub fn read_proc_memory_status(pid: u32) -> Result<MemStatus> {
Ok(MemStatus { vmrss_kb, vmhwm_kb })
}

/// Set the file permissions for a file or directory.
pub fn set_file_permissions(path: &PathBuf, mode: u32) -> Result<()> {
use std::os::unix::fs::PermissionsExt;
let permissions = fs::Permissions::from_mode(mode);
fs::set_permissions(path, permissions)?;
Ok(())
}

#[cfg(test)]
mod tests {
use crate::misc_helpers;
use std::os::unix::fs::PermissionsExt as _;

#[test]
fn get_os_version_tests() {
Expand Down Expand Up @@ -228,4 +237,15 @@ mod tests {
}
};
}

#[test]
fn set_file_permissions_test() {
let test_file_path = "/tmp/test_file_permissions.txt";
std::fs::write(test_file_path, "test").unwrap();
let path = std::path::PathBuf::from(test_file_path);
super::set_file_permissions(&path, 0o644).unwrap();
let metadata = std::fs::metadata(test_file_path).unwrap();
assert_eq!(metadata.permissions().mode() & 0o777, 0o644);
std::fs::remove_file(test_file_path).unwrap();
}
}
Loading