pkg: file stat warning

Provide warning and doc instead of enforcing file permission.

Documentation/op-guide/security.md

@@ -431,6 +431,9 @@ No. etcd doesn't encrypt key/value data stored on disk drives. If a user need to
 * Let client applications encrypt and decrypt the data
 * Use a feature of underlying storage systems for encrypting stored data like [dm-crypt]
 
+### I’m seeing a log warning that "directory X exist without recommended permission -rwx------"
+When etcd create certain new directories it sets file permission to 700 to prevent unprivileged access as possible. However, if user has already created a directory with own preference, etcd uses the existing directory and logs a warning message if the permission is different than 700.
+
 [cfssl]: https://github.com/cloudflare/cfssl
 [tls-setup]: ../../hack/tls-setup
 [tls-guide]: https://github.com/coreos/docs/blob/master/os/generate-self-signed-certificates.md

pkg/fileutil/fileutil.go

@@ -68,7 +68,7 @@ func TouchDirAll(dir string) error {
 	if Exist(dir) {
 		err := CheckDirPermission(dir, PrivateDirMode)
 		if err != nil {
-			return err
+			plog.Warningf("check file permission: %v", err)
 		}
 	} else {
 		err := os.MkdirAll(dir, PrivateDirMode)
@@ -140,7 +140,7 @@ func CheckDirPermission(dir string, perm os.FileMode) error {
 	}
 	dirMode := dirInfo.Mode().Perm()
 	if dirMode != perm {
-		err = fmt.Errorf("directory %q,%q exist without desired file permission %q.", dir, dirInfo.Mode(), os.FileMode(PrivateDirMode))
+		err = fmt.Errorf("directory %q exist, but the permission is %q. The recommended permission is %q to prevent possible unprivileged access to the data.", dir, dirInfo.Mode(), os.FileMode(PrivateDirMode))
 		return err
 	}
 	return nil