Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport 1.4.1: Ensure that the .vault-token file writen by vault login always has the correct permissions and ownership. #8869

Merged
merged 1 commit into from
Apr 28, 2020
Merged

Backport 1.4.1: Ensure that the .vault-token file writen by vault login always has the correct permissions and ownership. #8869

merged 1 commit into from
Apr 28, 2020

Conversation

ncabatoff
Copy link
Collaborator

No description provided.

@ncabatoff ncabatoff added this to the 1.4.1 milestone Apr 28, 2020
@ncabatoff ncabatoff requested a review from calvn April 28, 2020 16:33
@ncabatoff ncabatoff merged commit d235b10 into release/1.4.x Apr 28, 2020
@ncabatoff ncabatoff deleted the backport-pr-8867-1.4.x branch April 28, 2020 17:05
@fernando-villalba
Copy link

Just out of curiosity, what sort of problem does this solve? This totally broke the way I was creating the token files with docker. The below used to work up until this fix was implemented. I think it has something to do how you create a tmp file and then move back to the actual file.

#!/bin/bash
# Hacky solution for this problem: https://github.com/hashicorp/vault/issues/712
# You can use this script instead of the vault native macOS binary which doesn't work with private VPN DNS zones.


VAULT_FILE="$HOME/.vault-token"
AWS_SETTINGS="$HOME/.aws/credentials"
docker run --rm -it \
    -v $(pwd):/workspace \
    -w /workspace \
    -p 8250:8250 \
    -v $AWS_SETTINGS:/root/.aws/credentials \
    -e AWS_PROFILE=vlt-dev-assume \
    -v $VAULT_FILE:/root/.vault-token \
    -e VAULT_ADDR=https://vault-address.com \
    vault:1.4.2 /bin/vault "$@"

This is the error I get now:

Error storing token: rename /root/.vault-token.tmp /root/.vault-token: device or resource busy
Authentication was successful, but the token was not persisted. The resulting
token is shown below for your records.

What would be even more amazing is to actual release binaries for mac where you don't have to do the hacky solution with private hosted zones.

@ncabatoff
Copy link
Collaborator Author

It was a security recommendation from an audit: without this change, if someone had the ownership or perms of the .vault-token file set wrong, it could've allowed for stealing the token. I tried to do it without a rename, but there wasn't a safe portable way to do it that I could find.

Please open a new issue for your problem(s) - I can't guarantee we'll fix them, but that's the better place to have this discussion, rather than an already merged PR.

@fernando-villalba
Copy link

I just wanted some clarification. I won't open an issue for this as it seems it's not affecting that many people. Just wanted to make you aware of a side effect of the implementation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@calvn calvn calvn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.4.1
Development

Successfully merging this pull request may close these issues.
3 participants
@ncabatoff @fernando-villalba @calvn