Page MenuHomeFreeBSD

security/vault: explicitly set class to daemon so that rc.d script can run with mlock enabled
ClosedPublic

Authored by dch on Apr 23 2019, 8:50 AM.

Details

Summary

rc.d script is missing mlock capabilities

Not sure how to best communicate this change to port users, as existing
people are stuck with it. pkg message, or UPDATING?

See https://github.com/hashicorp/vault/issues/6340 for background.

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

dch created this revision.Apr 23 2019, 8:50 AM
jrm added a comment.Apr 23 2019, 1:52 PM

Could you give a short description of the change here? If I am recalling the password format correctly, you are changing the login class. Is that correct? What does this fix/solve wrt to the missing mlock capabilities?

dch added a comment.Apr 23 2019, 2:34 PM
In D20025#430403, @jrm wrote:

Could you give a short description of the change here? If I am recalling the password format correctly, you are changing the login class. Is that correct? What does this fix/solve wrt to the missing mlock capabilities?

sure.

vault is a secrets store, where data is encrypted at rest, and uses Shamir secret sharing (m of n keys required to unlock) at run-time to decrypt all secrets. This master secret is ... super secret so we don't want it anywhere other than volatile ram. Anybody using the built-in user is potentially at risk from the master secret being available in swap.

We need mlock support to ensure that the secret key isn't paged out to disk. The default user class doesn't allow this, so we need to augment vault's login class to allow that.

jrm added a comment.Apr 23 2019, 2:40 PM

Thanks. A note in pkg-message sounds reasonable. A PORTREVISION bump might also be called for.

This revision was not accepted when it landed; it landed in state Needs Review.Apr 25 2019, 9:01 PM
This revision was automatically updated to reflect the committed changes.