bug(buffers): disk buffer should attempt to constrain file permissions when possible #18853
Labels
domain: buffers
Anything related to Vector's memory/disk buffers
domain: security
Anything related to security
type: bug
A code related bug.
Comments
tobz
added
domain: buffers
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, disk buffers do not explicitly attempt to set permissions on the directories/files they create, instead relying solely on whatever the prevailing system configuration dictates (i.e. Linux's
umasksetting).This means that, in some cases, disk buffer files are world readable. While we do provide an option for hardening Vector, in terms of default file permissions, this is opt-in... and we can generally do better than that.
We should attempt to at least mark disk buffer directories/files as readable/writable by the owner and group, but entirely inaccessible by others/world. Given that Vector itself is the only process that should be touching the files, it stands to reason that we should not allow world/others to ever read or write to those files.
The text was updated successfully, but these errors were encountered: