vault: chown config dir to service user

[Goorzhel]

Dunno why I missed this before, but:

$ sudo -u _vault vault server -config=/etc/vault
Password:
error loading configuration from /etc/vault: open /etc/vault: permission denied
$ sudo chown _vault:_vault /etc/vault
$ sudo -u _vault vault server -config=/etc/vault
==> Vault server configuration:
<...>

[Goorzhel]

@the-maldridge

[ericonr]

You're missing a revbump.

[the-maldridge]

Hmm, I'm not 100% sure this doesn't break the vault CLI. Can you verify that that's the case?

[Goorzhel]

CLI seems to work okay:

$ ./xbps-src pkg vault && xi vault
<...>
vault-1.6.1_1: updating to 1.6.1_2 ...
<...>
$ sudo sv start vault
ok: run: vault: (pid 19733) 1s
$ vault --version
Vault v1.6.1 (6d2db3f033e02e70202bef9ec896360062b88b03) (cgo)
$ vault operator unseal
<...>
$ vault login
Token (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
<...>
$ vault secrets list | sed -E 's/_[a-z0-9]+/_<...>/'
Path          Type         Accessor              Description
----          ----         --------              -----------
cubbyhole/    cubbyhole    cubbyhole_<...>    per-token private secret storage
identity/     identity     identity_<...>     identity store
secret/       kv           kv_<...>           n/a
sys/          system       system_<...>       system endpoints used for control, policy and debugging

[ericonr]

@the-maldridge ok to merge?

[Goorzhel]

@the-maldridge: okay to merge?

[Goorzhel]

This branch cannot be rebased due to conflicts

Hmm, I did resolve said conflicts through GitHub's UI, but there could be something else I'm missing. I'll just rebase my own branch.

[Goorzhel]

@the-maldridge: okay to merge? I re-ran the previous steps on 1.8.2_2 without error.

[Duncaen]

Does it actually need write permissions?

[Goorzhel]

$ sudo strace -u _vault -fo /tmp/uhhh vault server -config=/etc/vault &>/dev/null &
[1] 17454
$ grep etc.vault /tmp/uhhh
17458 execve("/usr/bin/vault", ["vault", "server", "-config=/etc/vault"], 0x7ffe62e284c0 /* 14 vars */) = 0
17471 newfstatat(AT_FDCWD, "/etc/vault",  <unfinished ...>
17471 openat(AT_FDCWD, "/etc/vault", O_RDONLY|O_CLOEXEC) = 8
17471 newfstatat(AT_FDCWD, "/etc/vault/config.hcl", {st_mode=S_IFREG|0644, st_size=194, ...}, AT_SYMLINK_NOFOLLOW) = 0
17471 openat(AT_FDCWD, "/etc/vault/config.hcl", O_RDONLY|O_CLOEXEC) = 9

Hmmm. Might not.

[the-maldridge]

No, vault only needs to read this directory.

[Duncaen]

I think I would go with 750 and make the owner root and the group _vault if those files are supposed to be only read by the vault user.

[ericonr]

ok to merge?