Closed tmakinen closed 2 years ago
Huh, this is a good point -- I think containers make this a bit less obviously a huge problem since in most of the ways you'd deploy this image in a container, the file is protected more strongly by the boundaries of mount namespaces than unix permissions (and it's not terribly common to share data volumes between containers unnecessarily), but still something we should maybe consider.
Do you know if there's any "official" recommendation from the Redis community about what the umask
should be set to? Perhaps an official redis.service
file for systemd that sets a default we could point to as "look, this is where this recommendation came from" ?
https://github.com/redis/redis/blob/bb875603fb7ff3f9d19aad906bd45d7db98d9a39/utils/systemd-redis_server.service#L37 looks pretty promising/authoritative! :smile:
I'm thinking we should perhaps only reset it if it's set to the default of 0022
so we don't accidentally overwrite the value for someone who is already working around this by setting their own value?
Using
--save
option when starting redis will create database dump files in 0644 permissions. This makes it possible for all users in host to read database contents.Suggestion is to run
umask 077
in entrypoint before starting redis withsu-exec
.