Date: Fri, 03 Jun 2022 01:56:23 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 264425] sysutils/nomad: Secure nomad data_dir Message-ID: <bug-264425-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264425 Bug ID: 264425 Summary: sysutils/nomad: Secure nomad data_dir Product: Ports & Packages Version: Latest Hardware: Any URL: https://www.nomadproject.io/docs/operations/nomad-agen t#permissions OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: jhixson@FreeBSD.org Reporter: grembo@FreeBSD.org Flags: maintainer-feedback?(jhixson@FreeBSD.org) Assignee: jhixson@FreeBSD.org Created attachment 234404 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D234404&action= =3Dedit Patch nomad startup script to create nomad_dir using struct permissions Nomad's security model depends on `data_dir` to be protected by restrictive file permissions (0700), as it writes secrets (like vault tokens) with world-readable permissions (0666) below this path. Right now, the nomad rc script creates data_dir (which is configured using nomad_dir in /etc/rc.conf) with the default umask if it doesn't exist. The (untested, but hopefully trivial enough) attached patch fixes this by simply running chmod 0700 on the newly created directory. It is suitable to= be applied using `git am`. See also: - https://github.com/hashicorp/nomad/issues/11900#issuecomment-1145503292 Discussion where I learned about this fact - https://www.nomadproject.io/docs/operations/nomad-agent#permissions --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-264425-7788>