Vault 3992 documentation changes (#14918)

* doc changes

* adding config changes

* adding chnages to plugins

* using include

* making doc changes

* adding newline

website/content/docs/configuration/index.mdx

@@ -8,6 +8,11 @@ description: Vault server configuration reference.
 
 Outside of development mode, Vault servers are configured using a file.
 The format of this file is [HCL](https://github.com/hashicorp/hcl) or JSON.
+
+By default, Vault expects the config directory and files to be owned by the
+user running Vault. It also expects no write or execute permissions for group or others.
+This check can be disabled via the environment variable `VAULT_DISABLE_FILE_PERMISSIONS_CHECK`.
+
 An example configuration is shown below:
 
 ```javascript
@@ -117,6 +122,18 @@ to specify where the configuration is.
   allowed to be loaded. Vault must have permission to read files in this
   directory to successfully load plugins, and the value cannot be a symbolic link.
 
+  @include 'plugin-file-permissions-check.mdx'
+
+- `plugin_file_uid` `(integer: 0)` – Uid of the plugin directories and plugin binaries.
+   By default, Vault expects the plugin directory and plugin binaries to be owned by
+   the user running Vault. This check can be disabled via the environment variable
+   `VAULT_DISABLE_FILE_PERMISSIONS_CHECK`.
+
+- `plugin_file_permissions` `(string: "")` – Octal permission string of the plugin
+   directories and plugin binaries. By default, Vault expects no write or execute
+   permissions for group or others. This check can be disabled via the environment variable
+   `VAULT_DISABLE_FILE_PERMISSIONS_CHECK`. 
+
 - `telemetry` `([Telemetry][telemetry]: <none>)` – Specifies the telemetry
   reporting system.
 

website/content/docs/plugins/index.mdx

@@ -12,6 +12,8 @@ allows both built-in and external plugins to be treated like Legos. Any plugin
 can exist at multiple different locations. Different versions of a plugin may
 be at each location, with each version differing from Vault's version.
 
+@include 'plugin-file-permissions-check.mdx'
+
 ## Built-In Plugins
 
 Built-in plugins are shipped with Vault, often for commonly used implementations,

website/content/docs/plugins/plugin-architecture.mdx

@@ -92,9 +92,11 @@ cannot be added to Vault unless it exists in the plugin directory. There is no
 default for this configuration option, and if it is not set, plugins cannot be
 added to Vault.
 
-~> Warning: A Vault operator should take caution and lock down the permissions on
-this directory to ensure a plugin cannot be modified by an unauthorized user
-between the time of the SHA check and the time of plugin execution.
+~> Warning: By default, Vault expects the plugin directory and files to be owned by the
+user running Vault. It also expects no write or execute permissions for group or others.
+Vault allows operators to specify the user and permissions of the plugin directory and binaries 
+using parameters `plugin_file_uid` and `plugin_file_permissions` in config if an operator needs those to be different.  
+This check can be disabled via the environment variable `VAULT_DISABLE_FILE_PERMISSIONS_CHECK`.
 
 ### Plugin Catalog
 

website/content/partials/plugin-file-permissions-check.mdx

@@ -0,0 +1,5 @@
+By default, Vault expects the plugin directory and files to be owned by the
+user running Vault. It also expects no write or execute permissions for group or others.
+Vault allows operators to specify the user and permissions of the plugin directory and binaries 
+using parameters `plugin_file_uid` and `plugin_file_permissions` if an operator needs those to be different.  
+This check can be disabled via the environment variable `VAULT_DISABLE_FILE_PERMISSIONS_CHECK`.