Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

install: restrict access permissions on /boot/ignition{,/config.ign} #571

Merged
merged 1 commit into from
Jul 7, 2021
Merged

install: restrict access permissions on /boot/ignition{,/config.ign} #571

merged 1 commit into from
Jul 7, 2021

Conversation

bgilbert
Copy link
Contributor

@bgilbert bgilbert commented Jul 6, 2021
edited
Loading

The Ignition config may contain secrets. Don't expose it, or anything in its parent directory, to unprivileged processes.

@bgilbert bgilbert mentioned this pull request Jul 6, 2021
Closed
travier
travier reviewed Jul 6, 2021
View reviewed changes
src/install.rs Show resolved Hide resolved
@bgilbert bgilbert changed the title install: set Ignition config file mode to 0600 install: restrict access permissions on /boot/ignition{,/config.ign} Jul 6, 2021
@bgilbert
Copy link
Contributor Author

bgilbert commented Jul 6, 2021

Updated.

@travier
Copy link
Member

travier commented Jul 7, 2021

This might benefit from a conversion to https:/coreos/openat-ext but this can definitely be done later.

@jlebon
Copy link
Member

jlebon commented Jul 7, 2021

Probably worth mentioning coreos/fedora-coreos-tracker#889 in the commit message for posterity.

On the other side of this, we should consider deleting the file after it's used. This is discussed in the tracker issue.

@bgilbert
install: restrict access permissions on /boot/ignition{,/config.ign}
2a36405 
The Ignition config may contain secrets.  Don't expose it, or anything in
its parent directory, to unprivileged processes.

coreos/fedora-coreos-tracker#889
@bgilbert bgilbert enabled auto-merge July 7, 2021 19:57
@bgilbert bgilbert merged commit 9b1711c into coreos:main Jul 7, 2021
@bgilbert bgilbert deleted the perms branch July 7, 2021 20:49
@jlebon jlebon mentioned this pull request Jul 8, 2021
Merged
jlebon added a commit to jlebon/fedora-coreos-config that referenced this pull request Jul 13, 2021
@jlebon
overrides: fast-track coreos-installer-0.9.1-2.fc34
e0056d6 
Contains backport of coreos/coreos-installer#571
for coreos/fedora-coreos-tracker#889.
@jlebon jlebon mentioned this pull request Jul 13, 2021
Merged
jlebon added a commit to coreos/fedora-coreos-config that referenced this pull request Jul 13, 2021
@jlebon
overrides: fast-track coreos-installer-0.9.1-2.fc34
49141cc 
Contains backport of coreos/coreos-installer#571
for coreos/fedora-coreos-tracker#889.
HuijingHei pushed a commit to HuijingHei/fedora-coreos-config that referenced this pull request Oct 10, 2023
@jlebon @HuijingHei
overrides: fast-track coreos-installer-0.9.1-2.fc34
0de22ce 
Contains backport of coreos/coreos-installer#571
for coreos/fedora-coreos-tracker#889.
HuijingHei pushed a commit to HuijingHei/fedora-coreos-config that referenced this pull request Oct 10, 2023
@jlebon @HuijingHei
overrides: fast-track coreos-installer-0.9.1-2.fc34
846bde6 
Contains backport of coreos/coreos-installer#571
for coreos/fedora-coreos-tracker#889.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jlebon jlebon jlebon approved these changes

@travier travier travier approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bgilbert @travier @jlebon