From 351c71673919b27d71ef2b01ad2937f61a12fd80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 5 Jun 2021 17:37:38 +0200 Subject: [PATCH] allow non-key group users to access /run/secrets This does not significantly decrease security while making it a lot more convinient. There are also services, where it is not possible to set the keys group i.e. if a daemon unsets all groups. Processes still won't be able to list other secrets if they are not in the secret group. fixes #86 --- pkgs/sops-install-secrets/main.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/sops-install-secrets/main.go b/pkgs/sops-install-secrets/main.go index 4645bbb..fe22505 100644 --- a/pkgs/sops-install-secrets/main.go +++ b/pkgs/sops-install-secrets/main.go @@ -254,7 +254,7 @@ func decryptSecrets(secrets []secret) error { const RAMFS_MAGIC int32 = -2054924042 func mountSecretFs(mountpoint string, keysGid int) error { - if err := os.MkdirAll(mountpoint, 0750); err != nil { + if err := os.MkdirAll(mountpoint, 0751); err != nil { return fmt.Errorf("Cannot create directory '%s': %w", mountpoint, err) } @@ -263,7 +263,7 @@ func mountSecretFs(mountpoint string, keysGid int) error { return fmt.Errorf("Cannot get statfs for directory '%s': %w", mountpoint, err) } if int32(buf.Type) != RAMFS_MAGIC { - if err := unix.Mount("none", mountpoint, "ramfs", unix.MS_NODEV|unix.MS_NOSUID, "mode=0750"); err != nil { + if err := unix.Mount("none", mountpoint, "ramfs", unix.MS_NODEV|unix.MS_NOSUID, "mode=0751"); err != nil { return fmt.Errorf("Cannot mount: %s", err) } } @@ -296,7 +296,7 @@ func prepareSecretsDir(secretMountpoint string, linkName string, keysGid int) (* return nil, fmt.Errorf("Cannot remove existing %s: %w", dir, err) } } - if err := os.Mkdir(dir, os.FileMode(0750)); err != nil { + if err := os.Mkdir(dir, os.FileMode(0751)); err != nil { return nil, fmt.Errorf("mkdir(): %w", err) } if err := os.Chown(dir, 0, int(keysGid)); err != nil {