Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

etcdctl snapshot save should restrict file permissions so only the user can read the file #9976

Closed
dlipovetsky opened this issue Aug 2, 2018 · 2 comments

Comments

@dlipovetsky
Copy link
Contributor

I noticed this, and I couldn't think of a reason why the snapshot, by default, should be readable by anyone but the user.

$  etcdctl version
etcdctl version: 3.3.3
API version: 3.3
$ whoami
root
$ etcdctl snapshot save ~/etcd.snapshot
Snapshot saved at /root/etcd.snapshot
$ ls -al ~/etcd.snapshot
-rw-r--r--. 1 root root 3473440 Aug  2 01:42 /root/etcd.snapshot
@hexfusion
Copy link
Contributor

@dlipovetsky, so instead of 0644 -rw-r--r-- maybe 0600 -rw------- would be a safer permission given the possible sensitive nature of the data. But if the directory it is stored in has the correct permissions then the file is not actually readable by another user. This would be the case of the /root directory in most cases mine is 0710 drwx--x---.

But etcdctl can't be responsible for it's surroundings so I think it's a good idea in general, are you interested in exploring this? I can't think of any reason to not restrict the perms honestly.

@dlipovetsky
Copy link
Contributor Author

dlipovetsky commented Aug 2, 2018

@hexfusion Agree 100%. Thanks for taking a look!

I'll work on a PR.

dlipovetsky pushed a commit to dlipovetsky/etcd that referenced this issue Aug 2, 2018
dlipovetsky pushed a commit to dlipovetsky/etcd that referenced this issue Aug 2, 2018
dlipovetsky pushed a commit to dlipovetsky/etcd that referenced this issue Aug 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

2 participants