I'm building infrastructure with this and been checking permissions on files.
I've found loose permissions that can be read by anybody on the machine, first, on config files, these can have secret consul tokens and gossip encryption keys.
TLS directory seemed OK as private key is 600 restricted and certs are public.
However, /var/nomad is exposed to all which is extremely severe as below command works and prints vault token of allocation on debian 11 machine:
I'm building infrastructure with this and been checking permissions on files.
I've found loose permissions that can be read by anybody on the machine, first, on config files, these can have secret consul tokens and gossip encryption keys.
TLS directory seemed OK as private key is 600 restricted and certs are public.
However, /var/nomad is exposed to all which is extremely severe as below command works and prints vault token of allocation on debian 11 machine:
Do with this what you will.