VAULT-2809: Tweak creation of vault.db file (#12034)

2021-07-09 20:45:50 +02:00 · 2021-07-09 20:45:50 +02:00 · a3ac49aa05
parent 43265d6626
commit a3ac49aa05
3 changed files with 19 additions and 2 deletions
--- a/changelog/12034.txt
+++ b/changelog/12034.txt
@ -0,0 +1,3 @@
+```release-note:bug
+storage/raft: Tweak creation of vault.db file
+```
--- a/physical/raft/fsm.go
+++ b/physical/raft/fsm.go
@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
@ -154,9 +155,22 @@ func (f *FSM) openDBFile(dbPath string) error {
 		return errors.New("can not open empty filename")
 	}

+	st, err := os.Stat(dbPath)
+	switch {
+	case err != nil && os.IsNotExist(err):
+	case err != nil:
+		return fmt.Errorf("error checking raft FSM db file %q: %v", dbPath, err)
+	default:
+		perms := st.Mode() & os.ModePerm
+		if perms&0o077 != 0 {
+			f.logger.Warn("raft FSM db file has wider permissions than needed",
+				"needed", os.FileMode(0o600), "existing", perms)
+		}
+	}
+
 	freelistType, noFreelistSync := freelistOptions()
 	start := time.Now()
-	boltDB, err := bolt.Open(dbPath, 0o666, &bolt.Options{
+	boltDB, err := bolt.Open(dbPath, 0o600, &bolt.Options{
 		Timeout:        1 * time.Second,
 		FreelistType:   freelistType,
 		NoFreelistSync: noFreelistSync,
--- a/physical/raft/snapshot.go
+++ b/physical/raft/snapshot.go
@ -330,7 +330,7 @@ func (s *BoltSnapshotSink) writeBoltDBFile() error {

 	// Create the BoltDB file
 	dbPath := filepath.Join(path, databaseFilename)
-	boltDB, err := bolt.Open(dbPath, 0o666, &bolt.Options{Timeout: 1 * time.Second})
+	boltDB, err := bolt.Open(dbPath, 0o600, &bolt.Options{Timeout: 1 * time.Second})
 	if err != nil {
 		return err
 	}