Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set more restrictive perms on alloc dir #2674

Closed
jshuping opened this issue May 25, 2017 · 3 comments
Closed

Set more restrictive perms on alloc dir #2674

jshuping opened this issue May 25, 2017 · 3 comments

Comments

@jshuping
Copy link

Nomad version

0.5.6

Operating system and Environment details

Ubuntu 16.04 AWS EC2

Suggestion

This is a suggestion to enhance security.

Nomad's data_dir contains these subdirectories:
drwxr-xr-x 5 root root 4096 May 25 12:01 alloc
drwx------ 3 root root 4096 May 25 08:45 client

And each alloc dir is created with permissions like:
drwxr-xr-x 4 root root 4096 May 25 10:50 60ec8de6-7426-1aff-6ffc-c678202f33ae

Unless the operator restricted the permissions to the overall data_dir by some other means,
any user on the system can cd into each allocdir and read the secrets generated by the jobs'
template stanzas.

Perhaps we could have that alloc dir also set restrictive permissions in the same way client does.
@dadgar
Copy link
Contributor

dadgar commented May 25, 2017

@jshuping Good catch! This was a regression introduced in 0.5.6!

@dadgar dadgar mentioned this issue May 25, 2017
Merged
@michaelw
Copy link 

drwxr-xr-x  15  root    root     4096  Jun  17  2017   /var
drwxr-xr-x  55  root    root     4096  Feb  13  08:30  /var/lib
drwxr-xr-x  7   root    root     4096  Dec  13  23:02  /var/lib/nomad
drwxr-xr-x  16  root    root     4096  Feb  13  10:23  /var/lib/nomad/alloc
drwxr-xr-x  4   root    root     4096  Feb  13  10:23  /var/lib/nomad/alloc/6558639b-a94d-952b-5fa3-c3374b1b33da
drwxrwxrwx  5   nobody  nogroup  4096  Feb  13  10:23  /var/lib/nomad/alloc/6558639b-a94d-952b-5fa3-c3374b1b33da/test
drwxrwxrwx  3   nobody  nogroup  120   Feb  13  23:42  /var/lib/nomad/alloc/6558639b-a94d-952b-5fa3-c3374b1b33da/test/secrets

Seeing this with nomad 0.7.1 on Linux-x64, is there a way to restrict this much more? E.g., 0755 for the task directory, 0700 for secrets, and user:group configurable for both? (because that depends on the container, and many containers drop privileges nowadays).

@github-actions
Copy link

github-actions bot commented Dec 3, 2022

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 3, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jshuping @michaelw @dadgar