rc.d script is missing mlock capabilities
Not sure how to best communicate this change to port users, as existing
people are stuck with it. pkg message, or UPDATING?
See https://github.com/hashicorp/vault/issues/6340 for background.
Details
Details
Diff Detail
Diff Detail
- Repository
- rP FreeBSD ports repository
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
Comment Actions
Could you give a short description of the change here? If I am recalling the password format correctly, you are changing the login class. Is that correct? What does this fix/solve wrt to the missing mlock capabilities?
Comment Actions
sure.
vault is a secrets store, where data is encrypted at rest, and uses Shamir secret sharing (m of n keys required to unlock) at run-time to decrypt all secrets. This master secret is ... super secret so we don't want it anywhere other than volatile ram. Anybody using the built-in user is potentially at risk from the master secret being available in swap.
We need mlock support to ensure that the secret key isn't paged out to disk. The default user class doesn't allow this, so we need to augment vault's login class to allow that.
Comment Actions
Thanks. A note in pkg-message sounds reasonable. A PORTREVISION bump might also be called for.