pkg: check file stats (#11798)

modify file util.

etcdmain/etcd.go

@@ -260,10 +260,17 @@ func startProxy(cfg *config) error {
 	}
 
 	cfg.ec.Dir = filepath.Join(cfg.ec.Dir, "proxy")
+	if fileutil.Exist(cfg.ec.Dir) {
+		err := fileutil.CheckDirPermission(cfg.ec.Dir, fileutil.PrivateDirMode)
+		if err != nil {
+			return err
+		}
+	} else {
 		err = os.MkdirAll(cfg.ec.Dir, fileutil.PrivateDirMode)
 		if err != nil {
 			return err
 		}
+	}
 
 	var peerURLs []string
 	clusterfile := filepath.Join(cfg.ec.Dir, "cluster")

pkg/fileutil/fileutil.go

@@ -42,14 +42,22 @@ func IsDirWriteable(dir string) error {
 // TouchDirAll is similar to os.MkdirAll. It creates directories with 0700 permission if any directory
 // does not exists. TouchDirAll also ensures the given directory is writable.
 func TouchDirAll(dir string) error {
-	// If path is already a directory, MkdirAll does nothing
+	// If path is already a directory, MkdirAll does nothing and returns nil, so,
-	// and returns nil.
+	// first check if dir exist with an expected permission mode.
+	if Exist(dir) {
+		err := CheckDirPermission(dir, PrivateDirMode)
+		if err != nil {
+			return err
+		}
+	} else {
 		err := os.MkdirAll(dir, PrivateDirMode)
 		if err != nil {
 			// if mkdirAll("a/text") and "text" is not
 			// a directory, this will return syscall.ENOTDIR
 			return err
 		}
+	}
+
 	return IsDirWriteable(dir)
 }
 
@@ -104,3 +112,22 @@ func ZeroToEnd(f *os.File) error {
 	_, err = f.Seek(off, io.SeekStart)
 	return err
 }
+
+// CheckDirPermission checks permission on an existing dir.
+// Returns error if dir is empty or exist with a different permission than specified.
+func CheckDirPermission(dir string, perm os.FileMode) error {
+	if !Exist(dir) {
+		return fmt.Errorf("directory %q empty, cannot check permission.", dir)
+	}
+	//check the existing permission on the directory
+	dirInfo, err := os.Stat(dir)
+	if err != nil {
+		return err
+	}
+	dirMode := dirInfo.Mode().Perm()
+	if dirMode != perm {
+		err = fmt.Errorf("directory %q exist without desired file permission. %q", dir, dirInfo.Mode())
+		return err
+	}
+	return nil
+}

pkg/fileutil/fileutil_test.go

@@ -173,3 +173,21 @@ func TestZeroToEnd(t *testing.T) {
 		}
 	}
 }
+
+func TestDirPermission(t *testing.T) {
+	tmpdir, err := ioutil.TempDir(os.TempDir(), "foo")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+
+	tmpdir2 := filepath.Join(tmpdir, "testpermission")
+	// create a new dir with 0700
+	if err = CreateDirAll(tmpdir2); err != nil {
+		t.Fatal(err)
+	}
+	// check dir permission with mode different than created dir
+	if err = CheckDirPermission(tmpdir2, 0600); err == nil {
+		t.Errorf("expected error, got nil")
+	}
+}

pkg/transport/listener.go

@@ -31,6 +31,7 @@ import (
 	"strings"
 	"time"
 
+	"go.etcd.io/etcd/pkg/fileutil"
 	"go.etcd.io/etcd/pkg/tlsutil"
 
 	"go.uber.org/zap"
@@ -114,9 +115,16 @@ func (info TLSInfo) Empty() bool {
 }
 
 func SelfCert(lg *zap.Logger, dirpath string, hosts []string, additionalUsages ...x509.ExtKeyUsage) (info TLSInfo, err error) {
-	if err = os.MkdirAll(dirpath, 0700); err != nil {
+	if fileutil.Exist(dirpath) {
+		err = fileutil.CheckDirPermission(dirpath, fileutil.PrivateDirMode)
+		if err != nil {
 			return
 		}
+	} else {
+		if err = os.MkdirAll(dirpath, fileutil.PrivateDirMode); err != nil {
+			return
+		}
+	}
 	info.Logger = lg
 
 	certPath := filepath.Join(dirpath, "cert.pem")