-
Notifications
You must be signed in to change notification settings - Fork 498
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix permissions for /config/config.toml so Athens can run as non-root #1699
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tzvetkoff looks good, thanks for this. there was a flake in the CI/CD, so updated code from main
and waiting for the new CI/CD run to finish
Ok, this looks like an unrelated test error, might be a flake but I'm not sure. I'll do this as soon as I can @tzvetkoff but I can't today unfortunately. @marwan-at-work any chance you have an idea what's going on here? |
@arschles looks like redis-sentinel can time out on start up, I restarted the build and it's good now. |
nice, thanks @marwan-at-work . I restarted a few times but it didn't fix the flake. I guess drone got in a better mood. |
This errors out when using the |
Hello @abh that's correct. The problem with 644 is that tokens stored in the config can be read by the world. Is 644 absolutely required, or would 0640 suffice? Thanks! |
@manugupt1 I didn't look at it carefully beyond noticing that installed in kubernetes with the helm chart the canary image would error out with the message about the permissions being too lax and at a glance it seems like the change to make them lax was deliberate (but not followed up with relaxing the other check). |
@abh Will you be able to do a quick check please? Does Athens work on latest image (not canary) |
@arschles @abh What do you think of the following:
|
What is the problem I am trying to address?
Current permissions of
/config/config.toml
make Athens impossible to run as non-root user.How is the fix applied?
Changed the file permissions to
0644
.What GitHub issue(s) does this PR fix or close?
Fixes #1695