Page MenuHomeFreeBSD

security/vault: explicitly set class to daemon so that rc.d script can run with mlock enabled
ClosedPublic

Authored by dch on Apr 23 2019, 8:50 AM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Dec 12, 12:10 PM
Unknown Object (File)
Fri, Nov 29, 5:17 PM
Unknown Object (File)
Mon, Nov 25, 5:34 PM
Unknown Object (File)
Sat, Nov 23, 1:52 PM
Unknown Object (File)
Sat, Nov 23, 6:43 AM
Unknown Object (File)
Nov 21 2024, 2:35 PM
Unknown Object (File)
Nov 14 2024, 1:41 PM
Unknown Object (File)
Nov 8 2024, 11:00 AM
Subscribers
None

Details

Summary

rc.d script is missing mlock capabilities

Not sure how to best communicate this change to port users, as existing
people are stuck with it. pkg message, or UPDATING?

See https://github.com/hashicorp/vault/issues/6340 for background.

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

Could you give a short description of the change here? If I am recalling the password format correctly, you are changing the login class. Is that correct? What does this fix/solve wrt to the missing mlock capabilities?

In D20025#430403, @jrm wrote:

Could you give a short description of the change here? If I am recalling the password format correctly, you are changing the login class. Is that correct? What does this fix/solve wrt to the missing mlock capabilities?

sure.

vault is a secrets store, where data is encrypted at rest, and uses Shamir secret sharing (m of n keys required to unlock) at run-time to decrypt all secrets. This master secret is ... super secret so we don't want it anywhere other than volatile ram. Anybody using the built-in user is potentially at risk from the master secret being available in swap.

We need mlock support to ensure that the secret key isn't paged out to disk. The default user class doesn't allow this, so we need to augment vault's login class to allow that.

Thanks. A note in pkg-message sounds reasonable. A PORTREVISION bump might also be called for.

This revision was not accepted when it landed; it landed in state Needs Review.Apr 25 2019, 9:01 PM
This revision was automatically updated to reflect the committed changes.