From 332add01ef0025568f7b692a98e02938069bc24e Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Thu, 8 Oct 2020 09:38:57 +0300
Subject: [PATCH] Ensure audit log permissions are restricted

While the apiserver audit options merely use the lumberjack logger in
order to write the appropriate log files, this library has very loose
permissions by default for these files [1]. However, this library will
respect the permissions that the file has, if it exists already. This is
also the most tested scenario in the library [2].

So, let's follow the pattern marked in the library's tests and
pre-create the audit log file with an appropriate mode.

[1] https://github.com/natefinch/lumberjack/blob/v2.0/lumberjack.go#L280
[2] https://github.com/natefinch/lumberjack/blob/v2.0/linux_test.go

Signed-off-by: Juan Antonio Osorio Robles <jaosorior@redhat.com>

Kubernetes-commit: 42df7bc5b3aa26bf545b6392b557833c7162c472
---
 pkg/server/options/audit.go | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/pkg/server/options/audit.go b/pkg/server/options/audit.go
index e88e8ca78..81fa7bae8 100644
--- a/pkg/server/options/audit.go
+++ b/pkg/server/options/audit.go
@@ -297,7 +297,11 @@ func (o *AuditOptions) ApplyTo(
 
 	// 2. Build log backend
 	var logBackend audit.Backend
-	if w := o.LogOptions.getWriter(); w != nil {
+	w, err := o.LogOptions.getWriter()
+	if err != nil {
+		return err
+	}
+	if w != nil {
 		if checker == nil {
 			klog.V(2).Info("No audit policy file provided, no events will be recorded for log backend")
 		} else {
@@ -502,9 +506,13 @@ func (o *AuditLogOptions) enabled() bool {
 	return o != nil && o.Path != ""
 }
 
-func (o *AuditLogOptions) getWriter() io.Writer {
+func (o *AuditLogOptions) getWriter() (io.Writer, error) {
 	if !o.enabled() {
-		return nil
+		return nil, nil
+	}
+
+	if err := o.ensureLogFile(); err != nil {
+		return nil, err
 	}
 
 	var w io.Writer = os.Stdout
@@ -517,7 +525,16 @@ func (o *AuditLogOptions) getWriter() io.Writer {
 			Compress:   o.Compress,
 		}
 	}
-	return w
+	return w, nil
+}
+
+func (o *AuditLogOptions) ensureLogFile() error {
+	mode := os.FileMode(0600)
+	f, err := os.OpenFile(o.Path, os.O_CREATE|os.O_APPEND|os.O_RDWR, mode)
+	if err != nil {
+		return err
+	}
+	return f.Close()
 }
 
 func (o *AuditLogOptions) newBackend(w io.Writer) audit.Backend {