search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.05k stars 4.2k forks source link

"socket_user", "socket_mode", "socket_group" options to agent unix listener don't work #9806

Open drawks opened 4 years ago

drawks commented 4 years ago

Describe the bug Setting socket_mode, socket_user or socket_group options to to a unix type listener stanza in a vault agent config does nothing.

To Reproduce Steps to reproduce the behavior:

  1. Write a vault agent config with a cache and listener section: 
    
vault {
address = "http://123.123.123.123:8200"
}

cache { }

listener "unix" { address = "./vault_agent.sock" socket_user = "nobody" socket_group = 99 socket_mode = 0600 tls_disable = true }



2. As root run `vault agent -config agent.conf -log-level=debug`
3. See Vault start, and create a socket owned by `root:root` with a file mode like `0755`
4. Observe no errors or warnings in the log

**Expected behavior**
The created unix socket should conform to the config options specified and/or raise an error if they are set to invalid values or if the declared owner/user/group cannot be achieved.

**Environment:**
* Vault Server Version (retrieve with `vault status`): 1.5.0 and 1.3.4
* Vault CLI Version (retrieve with `vault version`): 1.5.0 and 1.3.4
* Server Operating System/Architecture: Centos 7

Vault server configuration file(s):

Vault server config is not applicable to this bug report, the vault agent config as pasted in the above steps to reproduce is sufficient to replicate the bug.

**Additional context**
The config options have been present in the vault code base for some time( #6397) but are not present in the documentation.
jlrgraham23 commented 3 years ago

Also seeing this issue on Vault 1.7.0 / CentOS 7 and Amazon Linux 2. These options appear to be ignored by the Vault Agent.

edevil commented 3 years ago

I just tried them (I'm on 1.6.1), and the options seem to be working. I couldn't find them documented though.

zdszenturie commented 12 months ago

On ubuntu 20.04 with 1.15 same for me, it was also failing because tls_disable was not added, but docu doesn't state it is needed.

listener "unix" { address = "/opt/vault-agent/vault-agent.sock" socke_mode = "0660" socket_group = "1001" socket_user = "1000" tls_disable = true }

drawks commented 12 months ago

socke_mode

You've got a typo

zdszenturie commented 12 months ago

You've got a typo

Thanks.