New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vault-password: ensure other users can't read vault password #11756
vault-password: ensure other users can't read vault password #11756
Conversation
I'm not sure we want this, many times a group shares a vault file, permissions should be up to the user as the context can vary. |
I took inspiration for this from other common utilities like ssh-agent and postgresql that will fail when given overly permissive files. Example from postgresql documentation:
I do follow you that this would be a nuisance to some subset of users (though I doubt many), but this is such an important security consideration that I'd argue for the interests of the majority of users, who will be better served by the more restrictive default. (Ideally I'd even like to confirm that the file isn't tracked by git or other revision control systems, but that's for another pull request.) |
I don't think it is a minority as vault is frequently used within a team setting, I would make it into a config enforce_vault_permissions=0440, for example. |
That makes sense to me: if |
@billwanjohi This PR was tested by travis-ci.org, which is no longer used. Please rebase your branch to trigger running of current tests. |
@billwanjohi This PR was tested by travis-ci.org, which is no longer used. Please rebase your branch to trigger running of current tests. |
@billwanjohi Greetings! Thanks for taking the time to open this pullrequest. In order for the community to handle your pullrequest effectively, we need a bit more information. Here are the items we could not find in your description:
Please set the description of this pullrequest with this template: |
I don't think this relates very well to ssh-agent or pgsql |
This is about the vault password file, not the vault data files themselves. That is, the |
Right. Sorry for the confusion.
Therefore, it probably make sense to have a warning for the others, but like suggested by @bcoca, the group is probably useful for teams.
… On 23 Nov 2019, at 19:30, Kenyon Ralph ***@***.***> wrote:
I don't think this relates very well to ssh-agent or pgsql .pgpass file that are clear text. Ansible vault like is encrypted, which means that even if you have access to it, you cannot read its content. Limiting the permission too is nice, but if it's not done, I don't think it deserves any warning. cc @bcoca
This is about the vault password file, not the vault data files themselves. That is, the --vault-password-file referred to in ansible-vault.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
IMO if a group is sharing a vault, each user should have their own password file (if they want). That way restrictive permissions could be enforced as suggested. |
closing due to inactivity, if the proposed modifications are addressed, feel free to resubmit as a new PR. |
SUMMARY
Take 2 on #11754, this time on live code, and after testing locally.
ISSUE TYPE
Feature Pull Request
COMPONENT NAME
lib/ansible/cli/init.py
ANSIBLE VERSION
2.3
ADDITIONAL INFORMATION