From 76ed511e1808d46c917171abde062c20a1db17a9 Mon Sep 17 00:00:00 2001
From: akshya96 <87045294+akshya96@users.noreply.github.com>
Date: Fri, 8 Apr 2022 12:27:04 -0700
Subject: [PATCH] Vault 3992 documentation changes (#14918)

* doc changes

* adding config changes

* adding chnages to plugins

* using include

* making doc changes

* adding newline
---
 website/content/docs/configuration/index.mdx    | 17 +++++++++++++++++
 website/content/docs/plugins/index.mdx          |  2 ++
 .../docs/plugins/plugin-architecture.mdx        |  8 +++++---
 .../partials/plugin-file-permissions-check.mdx  |  5 +++++
 4 files changed, 29 insertions(+), 3 deletions(-)
 create mode 100644 website/content/partials/plugin-file-permissions-check.mdx

diff --git a/website/content/docs/configuration/index.mdx b/website/content/docs/configuration/index.mdx
index c85843140c..210159f345 100644
--- a/website/content/docs/configuration/index.mdx
+++ b/website/content/docs/configuration/index.mdx
@@ -8,6 +8,11 @@ description: Vault server configuration reference.
 
 Outside of development mode, Vault servers are configured using a file.
 The format of this file is [HCL](https://github.com/hashicorp/hcl) or JSON.
+
+By default, Vault expects the config directory and files to be owned by the
+user running Vault. It also expects no write or execute permissions for group or others.
+This check can be disabled via the environment variable `VAULT_DISABLE_FILE_PERMISSIONS_CHECK`.
+
 An example configuration is shown below:
 
 ```javascript
@@ -117,6 +122,18 @@ to specify where the configuration is.
   allowed to be loaded. Vault must have permission to read files in this
   directory to successfully load plugins, and the value cannot be a symbolic link.
 
+  @include 'plugin-file-permissions-check.mdx'
+
+- `plugin_file_uid` `(integer: 0)` – Uid of the plugin directories and plugin binaries.
+   By default, Vault expects the plugin directory and plugin binaries to be owned by
+   the user running Vault. This check can be disabled via the environment variable
+   `VAULT_DISABLE_FILE_PERMISSIONS_CHECK`.
+
+- `plugin_file_permissions` `(string: "")` – Octal permission string of the plugin
+   directories and plugin binaries. By default, Vault expects no write or execute
+   permissions for group or others. This check can be disabled via the environment variable
+   `VAULT_DISABLE_FILE_PERMISSIONS_CHECK`. 
+
 - `telemetry` `([Telemetry][telemetry]: <none>)` – Specifies the telemetry
   reporting system.
 
diff --git a/website/content/docs/plugins/index.mdx b/website/content/docs/plugins/index.mdx
index ca7fd6415f..7cc5ee631a 100644
--- a/website/content/docs/plugins/index.mdx
+++ b/website/content/docs/plugins/index.mdx
@@ -12,6 +12,8 @@ allows both built-in and external plugins to be treated like Legos. Any plugin
 can exist at multiple different locations. Different versions of a plugin may
 be at each location, with each version differing from Vault's version.
 
+@include 'plugin-file-permissions-check.mdx'
+
 ## Built-In Plugins
 
 Built-in plugins are shipped with Vault, often for commonly used implementations,
diff --git a/website/content/docs/plugins/plugin-architecture.mdx b/website/content/docs/plugins/plugin-architecture.mdx
index 4840802032..4fa5fd4cae 100644
--- a/website/content/docs/plugins/plugin-architecture.mdx
+++ b/website/content/docs/plugins/plugin-architecture.mdx
@@ -92,9 +92,11 @@ cannot be added to Vault unless it exists in the plugin directory. There is no
 default for this configuration option, and if it is not set, plugins cannot be
 added to Vault.
 
-~> Warning: A Vault operator should take caution and lock down the permissions on
-this directory to ensure a plugin cannot be modified by an unauthorized user
-between the time of the SHA check and the time of plugin execution.
+~> Warning: By default, Vault expects the plugin directory and files to be owned by the
+user running Vault. It also expects no write or execute permissions for group or others.
+Vault allows operators to specify the user and permissions of the plugin directory and binaries 
+using parameters `plugin_file_uid` and `plugin_file_permissions` in config if an operator needs those to be different.  
+This check can be disabled via the environment variable `VAULT_DISABLE_FILE_PERMISSIONS_CHECK`.
 
 ### Plugin Catalog
 
diff --git a/website/content/partials/plugin-file-permissions-check.mdx b/website/content/partials/plugin-file-permissions-check.mdx
new file mode 100644
index 0000000000..56a9c04a86
--- /dev/null
+++ b/website/content/partials/plugin-file-permissions-check.mdx
@@ -0,0 +1,5 @@
+By default, Vault expects the plugin directory and files to be owned by the
+user running Vault. It also expects no write or execute permissions for group or others.
+Vault allows operators to specify the user and permissions of the plugin directory and binaries 
+using parameters `plugin_file_uid` and `plugin_file_permissions` if an operator needs those to be different.  
+This check can be disabled via the environment variable `VAULT_DISABLE_FILE_PERMISSIONS_CHECK`.
\ No newline at end of file