Vault 3992 ToB Config and Plugins Permissions (#14817)

* updating changes from ent PR * adding changelog * fixing err * fixing semgrep error
2025-11-01 19:17:58 +00:00 · 2022-04-04 09:45:41 -07:00
parent 59451c27e9
commit 8352661b35
19 changed files with 443 additions and 12 deletions
--- a/command/server/config.go
+++ b/command/server/config.go
@@ -16,7 +16,9 @@ import (
 	"github.com/hashicorp/go-secure-stdlib/parseutil"
 	"github.com/hashicorp/hcl"
 	"github.com/hashicorp/hcl/hcl/ast"
+	"github.com/hashicorp/vault/helper/osutil"
 	"github.com/hashicorp/vault/internalshared/configutil"
+	"github.com/hashicorp/vault/sdk/helper/consts"
 )

 var entConfigValidate = func(_ *Config, _ string) []configutil.ConfigError {
@@ -54,6 +56,11 @@ type Config struct {

 	PluginDirectory string `hcl:"plugin_directory"`

+	PluginFileUid int `hcl:"plugin_file_uid"`
+
+	PluginFilePermissions    int         `hcl:"-"`
+	PluginFilePermissionsRaw interface{} `hcl:"plugin_file_permissions,alias:PluginFilePermissions"`
+
 	EnableRawEndpoint    bool        `hcl:"-"`
 	EnableRawEndpointRaw interface{} `hcl:"raw_storage_endpoint,alias:EnableRawEndpoint"`

@@ -127,7 +134,6 @@ telemetry {
 	prometheus_retention_time = "24h"
 	disable_hostname = true
 }
-
 enable_raw_endpoint = true

 storage "%s" {
@@ -276,6 +282,17 @@ func (c *Config) Merge(c2 *Config) *Config {
 		result.PluginDirectory = c2.PluginDirectory
 	}

+	result.PluginFileUid = c.PluginFileUid
+	if c2.PluginFileUid != 0 {
+		result.PluginFileUid = c2.PluginFileUid
+	}
+
+	result.PluginFilePermissions = c.PluginFilePermissions
+	if c2.PluginFilePermissionsRaw != nil {
+		result.PluginFilePermissions = c2.PluginFilePermissions
+		result.PluginFilePermissionsRaw = c2.PluginFilePermissionsRaw
+	}
+
 	result.DisablePerformanceStandby = c.DisablePerformanceStandby
 	if c2.DisablePerformanceStandby {
 		result.DisablePerformanceStandby = c2.DisablePerformanceStandby
@@ -350,6 +367,13 @@ func LoadConfig(path string) (*Config, error) {
 	}

 	if fi.IsDir() {
+		// check permissions on the config directory
+		if os.Getenv(consts.VaultDisableFilePermissionsCheckEnv) != "true" {
+			err = osutil.OwnerPermissionsMatch(path, 0, 0)
+			if err != nil {
+				return nil, err
+			}
+		}
 		return CheckConfig(LoadConfigDir(path))
 	}
 	return CheckConfig(LoadConfigFile(path))
@@ -385,6 +409,21 @@ func LoadConfigFile(path string) (*Config, error) {
 		return nil, err
 	}

+	if os.Getenv(consts.VaultDisableFilePermissionsCheckEnv) != "true" {
+		// check permissions of the config file
+		err = osutil.OwnerPermissionsMatch(path, 0, 0)
+		if err != nil {
+			return nil, err
+		}
+		// check permissions of the plugin directory
+		if conf.PluginDirectory != "" {
+
+			err = osutil.OwnerPermissionsMatch(conf.PluginDirectory, conf.PluginFileUid, conf.PluginFilePermissions)
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
 	return conf, nil
 }

@@ -459,6 +498,18 @@ func ParseConfig(d, source string) (*Config, error) {
 		}
 	}

+	if result.PluginFilePermissionsRaw != nil {
+		octalPermissionsString, err := parseutil.ParseString(result.PluginFilePermissionsRaw)
+		if err != nil {
+			return nil, err
+		}
+		pluginFilePermissions, err := strconv.ParseInt(octalPermissionsString, 8, 64)
+		if err != nil {
+			return nil, err
+		}
+		result.PluginFilePermissions = int(pluginFilePermissions)
+	}
+
 	if result.DisableSentinelTraceRaw != nil {
 		if result.DisableSentinelTrace, err = parseutil.ParseBool(result.DisableSentinelTraceRaw); err != nil {
 			return nil, err
@@ -838,6 +889,10 @@ func (c *Config) Sanitized() map[string]interface{} {

 		"plugin_directory": c.PluginDirectory,

+		"plugin_file_uid": c.PluginFileUid,
+
+		"plugin_file_permissions": c.PluginFilePermissions,
+
 		"raw_storage_endpoint": c.EnableRawEndpoint,

 		"api_addr":           c.APIAddr,
--- a/command/server/config_test_helpers.go
+++ b/command/server/config_test_helpers.go
@@ -694,6 +694,8 @@ func testConfig_Sanitized(t *testing.T) {
 		"disable_indexing":                    false,
 		"disable_mlock":                       true,
 		"disable_performance_standby":         false,
+		"plugin_file_uid":                     0,
+		"plugin_file_permissions":             0,
 		"disable_printable_check":             false,
 		"disable_sealwrap":                    true,
 		"raw_storage_endpoint":                true,
@@ -855,6 +857,7 @@ func testParseSockaddrTemplate(t *testing.T) {
 api_addr = <<EOF
 {{- GetAllInterfaces | include "flags" "loopback" | include "type" "ipv4" | attr "address" -}}
 EOF
+
 listener "tcp" {
 	address = <<EOF
 {{- GetAllInterfaces | include "flags" "loopback" | include "type" "ipv4" | attr "address" -}}:443