Created attachment 234404 [details] Patch nomad startup script to create nomad_dir using struct permissions Nomad's security model depends on `data_dir` to be protected by restrictive file permissions (0700), as it writes secrets (like vault tokens) with world-readable permissions (0666) below this path. Right now, the nomad rc script creates data_dir (which is configured using nomad_dir in /etc/rc.conf) with the default umask if it doesn't exist. The (untested, but hopefully trivial enough) attached patch fixes this by simply running chmod 0700 on the newly created directory. It is suitable to be applied using `git am`. See also: - https://github.com/hashicorp/nomad/issues/11900#issuecomment-1145503292 Discussion where I learned about this fact - https://www.nomadproject.io/docs/operations/nomad-agent#permissions
Any implications for quarterly users if this was merged in terms of manual intervention on upgrade or change in functionality?
(In reply to Kubilay Kocak from comment #1) The patch only makes a difference on first start of the service (when creating the directory). So no effect on update. It might make sense to *always* correct the directory permissions on service start though (which would be a slightly different patch) or warn about it or refuse to start the service if permissions aren't strict enough- which would be more intrusive on update for existing users, but also bring them the benefit of increased security. I guess it's up to the maintainer which approach to take - my patch is the least intrusive choice, only affecting new installations.
Created attachment 234420 [details] Patch nomad startup script to make sure nomad data-dir has proper permissions (In reply to Michael Gmelin from comment #2) Actually, having slept over this, I think that extending the patch so it won't start nomad in case directory permissions are too lax might be a better route, as it makes sure that existing usesr correct file permissions. The new patch does exactly this, check if permissions are correct and if not, don't start the service and output a helpful error message. Also adds pkg-message to explain the change. Only tested locally, no full poudriere QA done.
I am currently updating the port. I should have v1.3.1 available soon with your patch applied. Thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=38014c3b12f4064e77d1b8fc9b1ac787e2ef270d commit 38014c3b12f4064e77d1b8fc9b1ac787e2ef270d Author: John Hixson <jhixson@FreeBSD.org> AuthorDate: 2022-06-09 23:43:57 +0000 Commit: John Hixson <jhixson@FreeBSD.org> CommitDate: 2022-06-09 23:49:10 +0000 sysutils/nomad: update to v1.3.1 Security fix for data_dir as discussed here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264425 PR: 264425 Reported by: Michael Gmeli <grembo@FreeBSD.org> sysutils/nomad/Makefile | 216 +++++++++++---------- sysutils/nomad/distinfo | 394 ++++++++++++++++++++++----------------- sysutils/nomad/files/nomad.in | 11 +- sysutils/nomad/pkg-message (new) | 15 ++ 4 files changed, 365 insertions(+), 271 deletions(-)