Habitat provisioner creates config file with world-readable permissions #24273
Description
Hi all,
Just noticed that the user.toml file the Habitat Provisioner for Terraform creates has world-readable permissions from the top-level of the filesystem all the way down:
# ls -larh /hab/user/<service_name>/config/user.toml
-rw-r--r-- 1 ubuntu ubuntu 106 Mar 3 18:26 /hab/user/<service_name>/config/user.toml
# ls -lahd /hab/user/<service_name>/config
drwxr-xr-x 2 root root 4.0K Mar 3 18:26 /hab/user/<service_name>/config
# ls -lahd /hab/user/<service_name>
drwxr-xr-x 3 root root 4.0K Feb 21 11:37 /hab/user/<service_name>
# ls -lahd /hab/user
drwxr-xr-x 5 root root 4.0K Feb 28 15:22 /hab/user
# ls -lahd /hab
drwxr-xr-x 9 root root 4.0K Feb 21 11:37 /hab
Since injected/updated configs can contain secrets this is definitely not ideal…
Terraform Version
% terraform --version
Terraform v0.12.21
Terraform Configuration Files
provisioner "habitat" {
use_sudo = true
service_type = "systemd"
accept_license = true
service_name = "supervisor"
builder_auth_token = var.HAB_AUTH_TOKEN
service {
user_toml = <<FILE
aws_access_key_id = "${var.aws_access_key_id}"
aws_secret_access_key = "${var.aws_secret_access_key}"
FILE
name = "<origin>/<service_name>"
strategy = "at-once"
channel = var.environment
}
}Expected Behavior
The file
/hab/user/<service_name>/config/user.toml
should have been accessible only to the root user and the service user (usually hab).
Actual Behavior
The file and parent directories had world-readable permissions.
Steps to Reproduce
Create any service using the Habitat provisioner for Terraform, implementing the user_toml attribute. The created file will have world-readable permissions.