marsadm: fix /mars security issues

Only relevant for non-storage servers where customers have access to.

Notice that /mars is a _reserved_ filesystem for MARS-internal purposes.
It has mothing to do with an ordinary filesystem.

Users have generally to be kept out.

docu/mars-manual.lyx

@@ -2585,6 +2585,23 @@ On each node, mount that filesystem to
 .
 \end_layout
 
+\begin_layout Enumerate
+For security reasons, execute 
+\family typewriter
+chmod 0700 /mars
+\family default
+ everyhwere after 
+\family typewriter
+/mars/
+\family default
+ has been mounted.
+ If you forget this step, any following 
+\family typewriter
+marsadm
+\family default
+ command will drop you a warning, but will fix the problem for you.
+\end_layout
+
 \begin_layout Enumerate
 On node A, say 
 \family typewriter

userspace/marsadm

@@ -4976,6 +4976,20 @@ if ($cmd !~ m/^(version$|v$|view)/ && -x $logger) {
 
 ldie "The $mars directory does not exist.\n" unless -d $mars;
 
+my @mars_stat = stat($mars) or ldie "Cannot stat '$mars'\n";
+# check uid
+if ($mars_stat[4]) {
+  lwarn "Directory $mars has wrong owner uid $mars_stat[4].\n";
+  chown(0, 0, $mars) or ldie "Cannot chown $mars.\n";
+  lwarn "Fixed by setting to 0.\n";
+}
+# check permissions
+if ($mars_stat[2] & 077777 != 0700) {
+  lwarn "Directory $mars has wrong permissions.\n";
+  chmod(0700, $mars) or ldie "Cannot chmod $mars.\n";
+  lwarn "Fixed to mode 0700 for security reasons.\n";
+}
+
 if ($cmd !~ m/(create|join)-cluster|create-uuid|cat|view|pretty/) {
   my $uuid = get_link("$mars/uuid", 1);
   ldie "No valid cluster UUID $mars/uuid found. You need {create,join}-cluster first (or create-uuid).\n" unless $uuid;