-
Notifications
You must be signed in to change notification settings - Fork 465
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EXPERIMENTAL_AUDIT Doc Update #5444
Comments
@robert-s-lee @rolandcrosby What should the file permissions be set to? I think it should be |
@robert-s-lee The audit logs are stored in the same directory as the other logs generated by CockroachDB. Should the permissions for the entire directory be changed? |
@knz @aaron-crl Can you help me resolve this? |
i believe just the audit file itself. i typically see it own by cockroach user as the only user that can read and write. |
So whatever permission "problem" an admin thinks they have about audit logging, is also a problem for all their log files not just the audit log.
|
So the doc could casually talk about good permission hygiene and provide some examples on how to set this up properly. I don't think this is specific to audit logging. |
Absolutely. This ^^. Thanks @knz We can: |
It's not just the log files that are created with 0664 - it's pretty much everything, including the data files etc. Hence my answers: (1) CockroachDb uses a permission mask of 0664 for all files. It is the administrator's responsibility to constrain this further with (2) all crdb files (not just files) contain potentially sensitive data. Sites that do not use IMHO we're making a mountain out of a molehill. As Ben would say, we are cloud-first and thus strongly discourage users from deploying cockroachdb on systems shared between multiple users (or services) anyway. Trying to micro-optimize for multi-user, single-system deployments doesn't really gel with our product strategy. |
Do we have a functional need to create with 0664 or would 0660 work just as well for CRDB functions? Limiting access to sensitive information is still valuable - even outside the multi-user system. For example: If another service on the system has an arbitrary file read vulnerability but it is running under its own user account, limiting these permissions would limit the potential impact of such a vulnerability. Whereas in the current setup, an attacker could real CRDB sensitive information from any other compromised user access. |
I think it would work. Worth trying out |
44043: cli,log: change the default file permissions r=ajwerner a=knz Requested/recommended by @aaron-crl in cockroachdb/docs#5444 Prior to this patch, files created by a CockroachDB node were created with the default umask (usualy 0777) and permission bits 0644, i.e. `-rw-r--r--`. This situation is defective because in most common deployments umask does not exclude the "other" bits and the resulting data, log and temp files are world-readable. This is unsafe because any of these files can contain sensitive information. As Aaron puts it: > If another service on the system has an arbitrary file read > vulnerability but it is running under its own user account, limiting > these permissions would limit the potential impact of such a > vulnerability. Whereas in the current setup, an attacker could real > CRDB sensitive information from any other compromised user access. This patch rectifies this situation by enforcing at least bits 0007 in the umask early in `cockroach start`, so that created files, directories, symlinks etc have at most `-rw-rw----` (most will be `-rw-r-----`). Release note (security update): A CockroachDB node process (`start` / `start-single-node`) now configures its umask to create all its files without unix permission bits for "others", so that data/log/etc files do not become world-readable by default in systems that do not otherwise customize umask to enforce log file visibility. The files produced by other `cockroach` commands (e.g. the CLI commands) do not force their umask. Release note (backward-incompatible change): CockroachDB now creates files without read permissions for the "others" group. Sites that automate file management (e.g. log collection) using multiple user accounts now must ensure that the CockroachDB server and the management tools running on the same system are part of a shared unix group. 44064: cli: misc zip-related fixes r=tbg a=knz Fixes #43966. Mostly fixes the `zip` regression introduced in 19.2 by #36813. Co-authored-by: Raphael 'kena' Poss <[email protected]>
@a-entin for consideration for healthcheck |
Exalate commented:
Re: EXPERIMENTAL_AUDIT
Issue Description
file system permission for the file should be listed and/or modified. The default has
-rw-r--r--
which allows anyone access to the OS to read the audit log.Suggested Resolution
recommended permission setting for the audit file
Jira Issue: DOC-327
The text was updated successfully, but these errors were encountered: