Conditionally set file audit log mode (#3649)

This commit is contained in:
Brian Shumate 2017-12-07 11:44:15 -05:00 committed by Jeff Mitchell
parent 2aa576149c
commit a0d1092420
2 changed files with 10 additions and 6 deletions

View file

@ -75,8 +75,10 @@ func Factory(conf *audit.BackendConfig) (audit.Backend, error) {
if err != nil {
return nil, err
}
if m != 0 {
mode = os.FileMode(m)
}
}
b := &Backend{
path: path,
@ -247,15 +249,17 @@ func (b *Backend) open() error {
}
// Change the file mode in case the log file already existed. We special
// case /dev/null since we can't chmod it
// case /dev/null since we can't chmod it and bypass if the mode is zero
switch b.path {
case "/dev/null":
default:
if b.mode != 0 {
err = os.Chmod(b.path, b.mode)
if err != nil {
return err
}
}
}
return nil
}

View file

@ -77,7 +77,7 @@ Following are the configuration options available for the backend.
<span class="param-flags">optional</span>
A string containing an octal number representing the bit pattern
for the file mode, similar to `chmod`. This option defaults to
`0600`.
`0600`. Specifying mode of `0000` will disable Vault's setting any mode on the file.
</li>
<li>
<span class="param">format</span>