Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of Fixing excessive unix file permissions into release/1.10.x #14842

Closed
wants to merge 4 commits into from
Closed

Backport of Fixing excessive unix file permissions into release/1.10.x #14842

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0d86d53
backport of commit 8779fabc558458354c66298c8cd6bbb8a3f8ea81
hghaf099 Mar 30, 2022
30944af
backport of commit e263fac1e8f59056c8f89e7e78ba64418fe612e5
hghaf099 Mar 30, 2022
91f6d05
Merge branch 'release/1.10.x' into backport/vault-4364/perfectly-enor…
hghaf099 Apr 1, 2022
784abe4
Merge branch 'release/1.10.x' into backport/vault-4364/perfectly-enor…
hghaf099 Apr 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 3 additions & 0 deletions changelog/14791.txt
View file
Open in desktop
@@ -0,0 +1,3 @@
```release-note:bug
core: fixing excessive unix file permissions
```
2 changes: 1 addition & 1 deletion command/agent.go
View file
Open in desktop
Expand Up @@ -979,7 +979,7 @@ func (c *AgentCommand) storePidFile(pidPath string) error {
}

// Open the PID file
pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o644)
pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600)
if err != nil {
return fmt.Errorf("could not open pid file: %w", err)
}
Expand Down
2 changes: 1 addition & 1 deletion command/operator_raft_snapshot_save.go
View file
Open in desktop
Expand Up @@ -76,7 +76,7 @@ func (c *OperatorRaftSnapshotSaveCommand) Run(args []string) int {

w := &lazyOpenWriter{
openFunc: func() (io.WriteCloser, error) {
return os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o644)
return os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600)
},
}

Expand Down
4 changes: 2 additions & 2 deletions command/server.go
View file
Open in desktop
Expand Up @@ -1926,7 +1926,7 @@ func (c *ServerCommand) enableThreeNodeDevCluster(base *vault.CoreConfig, info m
return 1
}

if err := ioutil.WriteFile(filepath.Join(testCluster.TempDir, "root_token"), []byte(testCluster.RootToken), 0o755); err != nil {
if err := ioutil.WriteFile(filepath.Join(testCluster.TempDir, "root_token"), []byte(testCluster.RootToken), 0o600); err != nil {
c.UI.Error(fmt.Sprintf("Error writing token to tempfile: %s", err))
return 1
}
Expand Down Expand Up @@ -2158,7 +2158,7 @@ func (c *ServerCommand) storePidFile(pidPath string) error {
}

// Open the PID file
pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o644)
pidFile, err := os.OpenFile(pidPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600)
if err != nil {
return fmt.Errorf("could not open pid file: %w", err)
}
Expand Down
2 changes: 1 addition & 1 deletion physical/raft/raft.go
View file
Open in desktop
Expand Up @@ -274,7 +274,7 @@ func EnsurePath(path string, dir bool) error {
if !dir {
path = filepath.Dir(path)
}
return os.MkdirAll(path, 0o755)
return os.MkdirAll(path, 0o750)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I remember seeing this as 0o700 in your main PR. https://github.com/hashicorp/vault/pull/14791/files

}

// NewRaftBackend constructs a RaftBackend using the given directory
Expand Down
4 changes: 2 additions & 2 deletions physical/raft/snapshot.go
View file
Open in desktop
Expand Up @@ -86,7 +86,7 @@ func NewBoltSnapshotStore(base string, logger log.Logger, fsm *FSM) (*BoltSnapsh

// Ensure our path exists
path := filepath.Join(base, snapPath)
if err := os.MkdirAll(path, 0o755); err != nil && !os.IsExist(err) {
if err := os.MkdirAll(path, 0o750); err != nil && !os.IsExist(err) {
return nil, fmt.Errorf("snapshot path not accessible: %v", err)
}

Expand Down Expand Up @@ -324,7 +324,7 @@ func (s *BoltSnapshotSink) writeBoltDBFile() error {
s.logger.Info("creating new snapshot", "path", path)

// Make the directory
if err := os.MkdirAll(path, 0o755); err != nil {
if err := os.MkdirAll(path, 0o750); err != nil {
s.logger.Error("failed to make snapshot directory", "error", err)
return err
}
Expand Down