Mounted cloud credentials should not be world-readable

sseago · sseago · commit 19c4ddc2e6ba · 2025-05-08T15:47:06.000-04:00
Signed-off-by: Scott Seago &lt;sseago@redhat.com&gt;
diff --git a/changelogs/unreleased/8919-sseago b/changelogs/unreleased/8919-sseago
@@ -0,0 +1 @@
+Mounted cloud credentials should not be world-readable
diff --git a/internal/credentials/file_store.go b/internal/credentials/file_store.go
@@ -71,7 +71,8 @@ func (n *namespacedFileStore) Path(selector *corev1api.SecretKeySelector) (strin
 
 	keyFilePath := filepath.Join(n.fsRoot, fmt.Sprintf("%s-%s", selector.Name, selector.Key))
 
-	file, err := n.fs.OpenFile(keyFilePath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0644)
+	// owner RW perms, group R perms, no public perms
+	file, err := n.fs.OpenFile(keyFilePath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0640)
 	if err != nil {
 		return "", errors.Wrap(err, "unable to open credentials file for writing")
 	}
diff --git a/pkg/install/daemonset.go b/pkg/install/daemonset.go
@@ -23,6 +23,7 @@ import (
 	appsv1api "k8s.io/api/apps/v1"
 	corev1api "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 
 	"github.com/vmware-tanzu/velero/internal/velero"
 )
@@ -177,7 +178,9 @@ func DaemonSet(namespace string, opts ...podTemplateOption) *appsv1api.DaemonSet
 				Name: "cloud-credentials",
 				VolumeSource: corev1api.VolumeSource{
 					Secret: &corev1api.SecretVolumeSource{
-						SecretName: "cloud-credentials",
+						// read-only for Owner and Group; no permission for Public
+						DefaultMode: ptr.To(int32(0440)),
+						SecretName:  "cloud-credentials",
 					},
 				},
 			},
diff --git a/pkg/install/deployment.go b/pkg/install/deployment.go
@@ -24,6 +24,7 @@ import (
 	appsv1api "k8s.io/api/apps/v1"
 	corev1api "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 
 	"github.com/vmware-tanzu/velero/internal/velero"
 	"github.com/vmware-tanzu/velero/pkg/builder"
@@ -404,7 +405,9 @@ func Deployment(namespace string, opts ...podTemplateOption) *appsv1api.Deployme
 				Name: "cloud-credentials",
 				VolumeSource: corev1api.VolumeSource{
 					Secret: &corev1api.SecretVolumeSource{
-						SecretName: "cloud-credentials",
+						// read-only for Owner and Group; no permission for Public
+						DefaultMode: ptr.To(int32(0440)),
+						SecretName:  "cloud-credentials",
 					},
 				},
 			},

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Mounted cloud credentials should not be world-readable`
Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,8 @@ func (n namespacedFileStore) Path(selector corev1api.SecretKeySelector) (strin`
`71`	`71`
`72`	`72`	`keyFilePath := filepath.Join(n.fsRoot, fmt.Sprintf("%s-%s", selector.Name, selector.Key))`
`73`	`73`
`74`		`- file, err := n.fs.OpenFile(keyFilePath, os.O_RDWR\|os.O_CREATE\|os.O_TRUNC, 0644)`
	`74`	`+ // owner RW perms, group R perms, no public perms`
	`75`	`+ file, err := n.fs.OpenFile(keyFilePath, os.O_RDWR\|os.O_CREATE\|os.O_TRUNC, 0640)`
`75`	`76`	`if err != nil {`
`76`	`77`	`return "", errors.Wrap(err, "unable to open credentials file for writing")`
`77`	`78`	`}`