Windows support: review permissions in directories and files created

[amartinezfayo]

SPIRE creates some directories that store sensitive data, with certain permissions to restrict access (e.g. agent and server data directories).
On Windows, those directories are created with the CreateDirectory function using a NULL security descriptor. As a result, the directory gets a default security descriptor and the ACLs are inherited from its parent directory.

This means that the end user must take into account the ACLs of the directory where SPIRE is deployed, to properly secure sensitive data stored by SPIRE.

I think that a better security posture (considering that we strive to keep a "secure by default" policy) would be to set a security descriptor that would restrict access to the creator owner only in those directories.

[amartinezfayo]

Since #3227 introduces more restrictive permissions in agent and server data directories (granting access to the owner only), I would like to collect some feedback to know if this could cause any problem.
Thinking about community members with interest in Windows support, I thought that maybe @nweedon-u could chime in here. @nweedon-u do you see any problem with this change? Thanks!

[nweedon-u]

Thanks for contacting me @amartinezfayo - I've inspected the change and nothing in there stands out to me as an issue, however, it would be great if there is a build available so I can quickly deploy it on a few of our Windows machines.

If you could please point me to a build and also detail the spire-server version requirement for the build, I can verify the change for you next week.

Thanks!

[amartinezfayo]

Thank you @nweedon-u, that would be great!
I've created a test build from my fork that you can use for testing: https://github.com/amartinezfayo/spire/releases/download/v1.4.0/spire-1.4.0-windows-x86_64.zip
I really appreciate your help.

[nweedon-u]

Thank you @nweedon-u, that would be great! I've created a test build from my fork that you can use for testing: https://github.com/amartinezfayo/spire/releases/download/v1.4.0/spire-1.4.0-windows-x86_64.zip I really appreciate your help.

Thanks! I will test against a v1.3.x installation later this week.

[nweedon-u]

Hey @amartinezfayo, I've tested your build on Windows Server 2012 and Windows Server 2019 and I can't see any problems - the agents seem to connect fine to our spire-server instances and the directories get populated with the expected data.

Thanks!

[amartinezfayo]

Thank you very much for taking the time to test this, @nweedon-u!

[amartinezfayo]

Identified work items are:

• Atomic writing of files on Windows with a specific security descriptor. Atomic writing of files on Windows with a specific security descriptor #3577
• Respect intended permissions in os.WriteFile calls.

[github-actions]

This issue is stale because it has been open for 365 days with no activity.

[github-actions]

This issue was closed because it has been inactive for 30 days since being marked as stale.