Valve-infra-container: improve security by only allowing access to config.d/ to services that need it

Right now, config.d contains some secrets, yet it is accessible to all services.

Let's fix this by:

Making /mnt/permanent/config.d owned by root:config.d, and chmod 770
Have every config file there be chmod 640, with services depending on them being added to the groups of the owner of the file (maybe unnecessary because systemd is the one reading the envfile)

Note: Remember that the creation of the folder and the attribution of rights cannot be done in ansible, but need to be done by systemd service at boot time. I would suggest introducing a new service rather than having minio create it.

Edited Mar 13, 2023 by Martin Roukala

Admin message

Valve-infra-container: improve security by only allowing access to config.d/ to services that need it