mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-05-07 03:48:06 +02:00
Mike Reeves
2e411625c4
The unscoped `umask 077` on postsalt's secrets_pillar path leaked into every subsequent file write by so-setup (and the salt-call processes it spawned) for the rest of the install. Every state-rendered config file under /opt/so/conf landed at mode 0600 instead of 0644, which broke any container that bind-mounts its config read-only and runs as a non-root user after the entrypoint's gosu drop. The first concrete casualty was the influxdb container, which exits with "failed to load config file: open /conf/config.yaml: permission denied" after init mode completes and re-execs as the influxdb user. The chmod 0400 immediately after the printf already enforces the intended file mode, so the umask was redundant for the key file itself; scoping it to a subshell preserves the defense-in-depth between the printf and the chmod without polluting the parent shell.