From nobody Fri Jun 03 01:56:23 2022 X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id BEC4D1B6F57E for ; Fri, 3 Jun 2022 01:56:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LDmFg40slz3kcv for ; Fri, 3 Jun 2022 01:56:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 66E1D1FF40 for ; Fri, 3 Jun 2022 01:56:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 2531uNUY091664 for ; Fri, 3 Jun 2022 01:56:23 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 2531uNV4091663 for ports-bugs@FreeBSD.org; Fri, 3 Jun 2022 01:56:23 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 264425] sysutils/nomad: Secure nomad data_dir Date: Fri, 03 Jun 2022 01:56:23 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: grembo@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: jhixson@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform bug_file_loc op_sys bug_status bug_severity priority component assigned_to reporter flagtypes.name attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Ports bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports-bugs@freebsd.org X-BeenThere: freebsd-ports-bugs@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1654221383; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=dVDkM6Qk0mBCRkW8TFs1UXpaBIYKnSCdmHp8WXhtnfc=; b=ecAr6IXcb/aKMlWjeELb9DFpDT/IkebXjVoKH2VcZpa2mBU9N3uOq2ceYca/WburpHaJUH F/yUnlpz8ojQB8hhSslQQ5qXOG37+kS8ZJGs4dMA2FWC2gJXL9dh3Z1E3NeNn1/bRLqN8c Pd1ux1DUeBg9S+3IjVtjzWvWIGw+Kw5+aTXWwuQOyW7sgkjV1+DCROECC5cyH8w8uh7wrv EU1Fs03macwsIwP7EYZUb3v+kNJAC3pyiF19dgpm9efeaS3cYiFQ3OxdzGxEJ/6EwWCPie Du3LhOH9afZtT12r8XDlYbeJduZLwvtUwEY7iAq/AjaImKrvaf3X7056sLfvRw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1654221383; a=rsa-sha256; cv=none; b=gwELVLUNBuQgjzAXzZxRBDoyN8EoTiU/aEKiP1ovkF5WhUrChjGJ2qIN5XOeXAaI6nikaB gcGxYXDrH3g1kZJBqxV2tSzRXy6/zVvRx+2kBBub1ccFtyzPlRF1Am+GWG/eEbAWeLjKFJ 1leFJL5/MkpjTPe4V8fiGyYSkAlh4YKZlzCIE4uhSW1ChJ4eYJUGTiVBSX611Vs4wFf3j8 boS+6H9Cv+Z99q46CAhEJRZTe6xNGY+2v+OTbg0JmmlOGmodHrRmogLYZEEIAztbVdRwDB 64K+wCkGa/o+BfuOPFLfaL35+O9wRdy6TEcAKVHCqHn/IGzppdznamXV2PjxcQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264425 Bug ID: 264425 Summary: sysutils/nomad: Secure nomad data_dir Product: Ports & Packages Version: Latest Hardware: Any URL: https://www.nomadproject.io/docs/operations/nomad-agen t#permissions OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: jhixson@FreeBSD.org Reporter: grembo@FreeBSD.org Flags: maintainer-feedback?(jhixson@FreeBSD.org) Assignee: jhixson@FreeBSD.org Created attachment 234404 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D234404&action= =3Dedit Patch nomad startup script to create nomad_dir using struct permissions Nomad's security model depends on `data_dir` to be protected by restrictive file permissions (0700), as it writes secrets (like vault tokens) with world-readable permissions (0666) below this path. Right now, the nomad rc script creates data_dir (which is configured using nomad_dir in /etc/rc.conf) with the default umask if it doesn't exist. The (untested, but hopefully trivial enough) attached patch fixes this by simply running chmod 0700 on the newly created directory. It is suitable to= be applied using `git am`. See also: - https://github.com/hashicorp/nomad/issues/11900#issuecomment-1145503292 Discussion where I learned about this fact - https://www.nomadproject.io/docs/operations/nomad-agent#permissions --=20 You are receiving this mail because: You are the assignee for the bug.=