TT#55162 add ngcp-admin group

according to security framework spec

5.5.4 Allow r/w access /etc/ngcp-config/config.yml for users in security
domain ngcp-admin This file contains operational configuration data of
the NGCP system. Reading and editing it is part of day-to-day
operations. As such it has to be read- and writable by users in security
domain ngcp-admin. It is also readable by users of any other security
domain. This file is also read by many NGCP processes.

The current default setup of the NGCP does not implement permissions as
required by tightened user security. Required permission settings have
to be applied manually issuing command:

chgrp ngcp-admin /etc/ngcp-config/config.yml

Security domain: ngcp-admin User ownership: root Group ownership:
ngcp-admin File permissions: 664

IMPACT: Configuration data can be edited by all users in group
ngcp-admin, the sipwise user, and user root. If for some reason (e.g.
after upgrade) the proposed settings are reverted to default settings,
this does not pose a security risk. However, write access to
configuration data in this file will be denied to named users.

5.5.5 Allow r/w access to /etc/ngcp-config/network.yml for users in
security domain ngcp-admin This file contains information about the
network configuration of the NGCP cluster. This information should not
frequently change. Nevertheless, this file and its content is meant for
the operator and as such is read- and writable by users in security
domain ngcp-admin. It is also readable by users of any other security
domain. This file is also read by many NGCP processes.

The current default setup of the NGCP does not implement permissions as
required by tightened user security. Required permission settings have
to be applied manually issuing command:

chgrp ngcp-admin /etc/ngcp-config/network.yml

Security domain: ngcp-admin User ownership: root Group ownership:
ngcp-admin File permissions: 664

IMPACT: Configuration data can be edited by all users in group
ngcp-admin, the sipwise user, and user root. If for some reason (e.g.
after upgrade) the proposed settings are reverted to default settings,
this does not pose a security risk. However, write access to
configuration data in this file will be denied to named users.

5.5.6 Restrict access to /etc/ngcp-config/constants.yml to users in
security domain root This file contains values set during the
initialization of the NGCP system. It contains passwords used by
different NGCP functions to connect to other secured subsystems (e.g. DB
or lawful intercept). As such the file has a high security impact and is
read- and writeable to users of security domain root only.

The current default setup of the NGCP does not implement permissions as
required by tightened user security. Required permission settings have
to be applied manually issuing command:

chmod 600 /etc/ngcp-config/constants.yml

Security domain: root User ownership: root Group ownership: root File
permissions: 600

IMPACT: Data in this configuration file are usually entered once during
commissioning of the platform. Only users root or sipwise can edit or
read this file. The customer’s named users have no access to this data.
If for some reason (e.g. after upgrade) the proposed settings are
reverted to default settings, this poses a security risk as credentials
used internally may be leaked to unprivileged users.

Change-Id: I49a2994a227b9c296966c805c9370ae3b067de12

debian/ngcp-ngcpcfg.postinst

@@ -12,6 +12,8 @@ case "$1" in
 	grep -q '^ngcp-config$' .gitignore || echo 'ngcp-config' >> .gitignore
 	git commit -a -m "initial commit"
       fi
+
+      addgroup --system --force-badname --quiet _ngcp-admin
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)

etc/ngcp-config/ngcpcfg.cfg

@@ -38,4 +38,15 @@ STATE_FILES_DIR='/var/lib/ngcpcfg/state/'
 
 # validate configs using kwalify schema
 VALIDATE_SCHEMA="true"
+
+# file ownership and permissions for YML files
+CONFIG_USER="root"
+CONFIG_GROUP="_ngcp-admin"
+CONFIG_CHMOD="0660"
+CONSTANTS_CONFIG_USER="root"
+CONSTANTS_CONFIG_GROUP="root"
+CONSTANTS_CONFIG_CHMOD="0600"
+NETWORK_CONFIG_USER="root"
+NETWORK_CONFIG_GROUP="_ngcp-admin"
+NETWORK_CONFIG_CHMOD="0660"
 ## END OF FILE #################################################################

scripts/build

@@ -150,6 +150,44 @@ fi
 killall tt2-daemon 2>/dev/null || true
 rm -f "${NGCP_SOCKETFILE}"
 
+# Apply configured file ownership and permissions
+for f in ${NGCPCTL_CONFIG:-} ${HOST_CONFIG:-} ${LOCAL_CONFIG:-} ${EXTRA_CONFIG_FILES:-} ; do
+  if [ ! -f "${f}" ]; then
+    continue
+  fi
+  if [ -n "${CONFIG_USER}" ]; then
+    chown "${CONFIG_USER}" "${f}"
+  fi
+  if [ -n "${CONFIG_GROUP}" ]; then
+    chgrp "${CONFIG_GROUP}" "${f}"
+  fi
+  if [ -n "${CONFIG_CHMOD}" ]; then
+    chmod "${CONFIG_CHMOD}" "${f}"
+  fi
+done
+if [ -f "${NETWORK_CONFIG:-}" ]; then
+  if [ -n "${NETWORK_CONFIG_USER}" ]; then
+    chown "${NETWORK_CONFIG_USER}" "${NETWORK_CONFIG}"
+  fi
+  if [ -n "${NETWORK_CONFIG_GROUP}" ]; then
+    chgrp "${NETWORK_CONFIG_GROUP}" "${NETWORK_CONFIG}"
+  fi
+  if [ -n "${NETWORK_CONFIG_CHMOD}" ]; then
+    chmod "${NETWORK_CONFIG_CHMOD}" "${NETWORK_CONFIG}"
+  fi
+fi
+if [ -f "${CONSTANTS_CONFIG:-}" ]; then
+  if [ -n "${CONSTANTS_CONFIG_USER}" ]; then
+    chown "${CONSTANTS_CONFIG_USER}" "${CONSTANTS_CONFIG}"
+  fi
+  if [ -n "${CONSTANTS_CONFIG_GROUP}" ]; then
+    chgrp "${CONSTANTS_CONFIG_GROUP}" "${CONSTANTS_CONFIG}"
+  fi
+  if [ -n "${CONSTANTS_CONFIG_CHMOD}" ]; then
+    chmod "${CONSTANTS_CONFIG_CHMOD}" "${CONSTANTS_CONFIG}"
+  fi
+fi
+
 exit "$RC"
 
 ## END OF FILE #################################################################