[Bug 264425] sysutils/nomad: Secure nomad data_dir

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 03 Jun 2022 01:56:23 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264425

            Bug ID: 264425
           Summary: sysutils/nomad: Secure nomad data_dir
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: https://www.nomadproject.io/docs/operations/nomad-agen
                    t#permissions
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: jhixson@FreeBSD.org
          Reporter: grembo@FreeBSD.org
             Flags: maintainer-feedback?(jhixson@FreeBSD.org)
          Assignee: jhixson@FreeBSD.org

Created attachment 234404
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=234404&action=edit
Patch nomad startup script to create nomad_dir using struct permissions

Nomad's security model depends on `data_dir` to be protected by restrictive
file permissions (0700), as it writes secrets (like vault tokens) with
world-readable permissions (0666) below this path.

Right now, the nomad rc script creates data_dir (which is configured using
nomad_dir in /etc/rc.conf) with the default umask if it doesn't exist.

The (untested, but hopefully trivial enough) attached patch fixes this by
simply running chmod 0700 on the newly created directory. It is suitable to be
applied using `git am`.

See also:
- https://github.com/hashicorp/nomad/issues/11900#issuecomment-1145503292
  Discussion where I learned about this fact
- https://www.nomadproject.io/docs/operations/nomad-agent#permissions

-- 
You are receiving this mail because:
You are the assignee for the bug.