feat: set 755 permissions for custom ca paths #6041
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
UtheMan
requested review from
juan-lee,
cameronmeissner,
ganeshkumarashok,
anujmaheshwari1,
AlisonB319,
Devinwong,
lilypan26,
AbelHu,
junjiezhang1997,
jason1028kr,
djsly,
phealy,
r2k1,
timmy-wright,
zachary-bailey,
bravebeaver and
smith1511
as code owners
UtheMan
force-pushed
the
mikolaj/adjust-custom-ca-perms
branch
from
58506bc to
94423e9
Compare
bcho
approved these changes
Mar 19, 2025
| @@ -135,6 +135,7 @@ configureHTTPProxyCA() { | |||
|
|
|||
| configureCustomCaCertificate() { | |||
| mkdir -p /opt/certs | |||
| chmod 1755 /opt/certs | |||
There was a problem hiding this comment.
do we put anything else in this dir?
There was a problem hiding this comment.
As far as I know we only use this for custom ca feature. I checked RP/AB and it only appears in paths related to custom ca.
There was a problem hiding this comment.
might be worth leaving a comment clarifying that we don't use this dir for anything else
UtheMan
commented
Mar 19, 2025
| @@ -52,7 +52,7 @@ systemctlEnableAndStart disk_queue 30 || exit 1 | |||
| capture_benchmark "${SCRIPT_NAME}_copy_packer_files_and_enable_logging" | |||
|
|
|||
| mkdir /opt/certs | |||
| chmod 1666 /opt/certs | |||
| chmod 1755 /opt/certs | |||
There was a problem hiding this comment.
@zachary-bailey I modified this here as well, that should be enough right? Or is there some other place you were thinking of?
cameronmeissner
approved these changes
Mar 19, 2025
zachary-bailey
approved these changes
Mar 19, 2025
|
No changes to cached containers or packages on Windows VHDs |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adjusts permissions for
/opt/certsdirectory used by custom ca feature to755We use
755to match permissions used forusr/local/share/ca-certficatespath, which is the path that is checked by theupdate-ca-certificatestool that updates the trust store. This is to stop anyone from being able to add a file to the path that installs custom CAs in the trust store when feature is used on the node.