Set up proper keytab permissions

ed981cfd · Mihai Patrascoiu · cccd839b · ed981cfd · ed981cfd · ed981cfd
Commit ed981cfd authored Feb 04, 2020 by Mihai Patrascoiu
--- a/Dockerfile
+++ b/Dockerfile
@@ -65,8 +65,11 @@ RUN yum install -y --nogpg install xrootd-client
 # This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud
 # Infrastructure; you can remove these lines if you don't need one.
 RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab; \
-    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab; \
-    chown daemon:daemon /etc/eos.keytab
+    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab
+
+# Setup keytab permissions
+RUN chown daemon:daemon /etc/eos.keytab; \
+    chmod 400 /etc/eos.keytab

 # Change owner of /var/spool/xrootd directory to daemon
 RUN chown daemon:daemon /var/spool/xrootd

--- a/Dockerfile_asan
+++ b/Dockerfile_asan
@@ -46,7 +46,10 @@ RUN createrepo ${EOSREPODIR}; \
 # Generate a new forwardable keytab 'eos-test+' to replace the not-forwardable one (installed by the eos-testkeytab package).
 # This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud Infrastructure; you can remove these lines if you don't need one.
 RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab; \
-    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab; \
-    chown daemon:daemon /etc/eos.keytab
+    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab
+
+# Setup keytab permissions
+RUN chown daemon:daemon /etc/eos.keytab; \
+    chmod 400 /etc/eos.keytab

 ENTRYPOINT ["/bin/bash"]
--- a/Dockerfile_c8
+++ b/Dockerfile_c8
@@ -50,8 +50,11 @@ RUN createrepo ${EOSREPODIR}; \
 # This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud
 # Infrastructure; you can remove these lines if you don't need one.
 RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab; \
-    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab; \
-    chown daemon:daemon /etc/eos.keytab
+    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab
+
+# Setup keytab permissions
+RUN chown daemon:daemon /etc/eos.keytab; \
+    chmod 400 /etc/eos.keytab

 # Change owner of /var/spool/xrootd directory to daemon
 RUN chown daemon:daemon /var/spool/xrootd

--- a/Dockerfile_coverage
+++ b/Dockerfile_coverage
@@ -66,7 +66,10 @@ RUN mkdir -p /root/rpmbuild/BUILD/; \
 # Generate a new forwardable keytab 'eos-test+' to replace the not-forwardable one (installed by the eos-testkeytab package).
 # This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud Infrastructure; you can remove these lines if you don't need one.
 RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab; \
-    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab; \
-    chown daemon:daemon /etc/eos.keytab
+    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab
+
+# Setup keytab permissions
+RUN chown daemon:daemon /etc/eos.keytab; \
+    chmod 400 /etc/eos.keytab

 ENTRYPOINT ["/bin/bash"]
--- a/Dockerfile_ubuntu_bionic
+++ b/Dockerfile_ubuntu_bionic
@@ -49,6 +49,6 @@ RUN apt-get install -y eos-client eos-fuse eos-fusex eos-test eos-testkeytab

 # Change persmissions for keytab
 RUN chown daemon:daemon /etc/eos.keytab; \
-    chmod 600 /etc/eos.keytab
+    chmod 400 /etc/eos.keytab

 ENTRYPOINT ["/bin/bash"]
--- a/Dockerfile_ubuntu_disco
+++ b/Dockerfile_ubuntu_disco
@@ -49,6 +49,6 @@ RUN apt-get install -y eos-client eos-fuse eos-fusex eos-test eos-testkeytab

 # Change persmissions for keytab
 RUN chown daemon:daemon /etc/eos.keytab; \
-    chmod 600 /etc/eos.keytab
+    chmod 400 /etc/eos.keytab

 ENTRYPOINT ["/bin/bash"]
--- a/Dockerfile_xrd_testing
+++ b/Dockerfile_xrd_testing
@@ -51,7 +51,10 @@ RUN createrepo ${EOSREPODIR}; \
 # Generate a new forwardable keytab 'eos-test+' to replace the not-forwardable one (installed by the eos-testkeytab package).
 # This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud Infrastructure; you can remove these lines if you don't need one.
 RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab; \
-    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab; \
-    chown daemon:daemon /etc/eos.keytab
+    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab
+
+# Setup keytab permissions
+RUN chown daemon:daemon /etc/eos.keytab; \
+    chmod 400 /etc/eos.keytab

 ENTRYPOINT ["/bin/bash"]