From ed981cfde5c52cd587a8a1be267736326717a149 Mon Sep 17 00:00:00 2001
From: Mihai Patrascoiu <mihai.patrascoiu@cern.ch>
Date: Tue, 4 Feb 2020 17:13:30 +0100
Subject: [PATCH] Set up proper keytab permissions

---
 Dockerfile               | 7 +++++--
 Dockerfile_asan          | 7 +++++--
 Dockerfile_c8            | 7 +++++--
 Dockerfile_coverage      | 7 +++++--
 Dockerfile_ubuntu_bionic | 2 +-
 Dockerfile_ubuntu_disco  | 2 +-
 Dockerfile_xrd_testing   | 7 +++++--
 7 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 3ff5f0b..4b12863 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -65,8 +65,11 @@ RUN yum install -y --nogpg install xrootd-client
 # This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud
 # Infrastructure; you can remove these lines if you don't need one.
 RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab; \
-    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab; \
-    chown daemon:daemon /etc/eos.keytab
+    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab
+
+# Setup keytab permissions
+RUN chown daemon:daemon /etc/eos.keytab; \
+    chmod 400 /etc/eos.keytab
 
 # Change owner of /var/spool/xrootd directory to daemon
 RUN chown daemon:daemon /var/spool/xrootd
diff --git a/Dockerfile_asan b/Dockerfile_asan
index d465956..b150b59 100644
--- a/Dockerfile_asan
+++ b/Dockerfile_asan
@@ -46,7 +46,10 @@ RUN createrepo ${EOSREPODIR}; \
 # Generate a new forwardable keytab 'eos-test+' to replace the not-forwardable one (installed by the eos-testkeytab package).
 # This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud Infrastructure; you can remove these lines if you don't need one.
 RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab; \
-    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab; \
-    chown daemon:daemon /etc/eos.keytab
+    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab
+
+# Setup keytab permissions
+RUN chown daemon:daemon /etc/eos.keytab; \
+    chmod 400 /etc/eos.keytab
 
 ENTRYPOINT ["/bin/bash"]
diff --git a/Dockerfile_c8 b/Dockerfile_c8
index 520fee0..6036ad8 100644
--- a/Dockerfile_c8
+++ b/Dockerfile_c8
@@ -50,8 +50,11 @@ RUN createrepo ${EOSREPODIR}; \
 # This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud
 # Infrastructure; you can remove these lines if you don't need one.
 RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab; \
-    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab; \
-    chown daemon:daemon /etc/eos.keytab
+    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab
+
+# Setup keytab permissions
+RUN chown daemon:daemon /etc/eos.keytab; \
+    chmod 400 /etc/eos.keytab
 
 # Change owner of /var/spool/xrootd directory to daemon
 RUN chown daemon:daemon /var/spool/xrootd
diff --git a/Dockerfile_coverage b/Dockerfile_coverage
index c800bcc..942414c 100644
--- a/Dockerfile_coverage
+++ b/Dockerfile_coverage
@@ -66,7 +66,10 @@ RUN mkdir -p /root/rpmbuild/BUILD/; \
 # Generate a new forwardable keytab 'eos-test+' to replace the not-forwardable one (installed by the eos-testkeytab package).
 # This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud Infrastructure; you can remove these lines if you don't need one.
 RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab; \
-    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab; \
-    chown daemon:daemon /etc/eos.keytab
+    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab
+
+# Setup keytab permissions
+RUN chown daemon:daemon /etc/eos.keytab; \
+    chmod 400 /etc/eos.keytab
 
 ENTRYPOINT ["/bin/bash"]
diff --git a/Dockerfile_ubuntu_bionic b/Dockerfile_ubuntu_bionic
index 1e2b738..4475e8f 100644
--- a/Dockerfile_ubuntu_bionic
+++ b/Dockerfile_ubuntu_bionic
@@ -49,6 +49,6 @@ RUN apt-get install -y eos-client eos-fuse eos-fusex eos-test eos-testkeytab
 
 # Change persmissions for keytab
 RUN chown daemon:daemon /etc/eos.keytab; \
-    chmod 600 /etc/eos.keytab
+    chmod 400 /etc/eos.keytab
 
 ENTRYPOINT ["/bin/bash"]
diff --git a/Dockerfile_ubuntu_disco b/Dockerfile_ubuntu_disco
index 734cc17..df51fc0 100644
--- a/Dockerfile_ubuntu_disco
+++ b/Dockerfile_ubuntu_disco
@@ -49,6 +49,6 @@ RUN apt-get install -y eos-client eos-fuse eos-fusex eos-test eos-testkeytab
 
 # Change persmissions for keytab
 RUN chown daemon:daemon /etc/eos.keytab; \
-    chmod 600 /etc/eos.keytab
+    chmod 400 /etc/eos.keytab
 
 ENTRYPOINT ["/bin/bash"]
diff --git a/Dockerfile_xrd_testing b/Dockerfile_xrd_testing
index 2dad36f..b4f52d5 100644
--- a/Dockerfile_xrd_testing
+++ b/Dockerfile_xrd_testing
@@ -51,7 +51,10 @@ RUN createrepo ${EOSREPODIR}; \
 # Generate a new forwardable keytab 'eos-test+' to replace the not-forwardable one (installed by the eos-testkeytab package).
 # This is useful to deploy EOS on Kubernetes clusters running on CERN's Cloud Infrastructure; you can remove these lines if you don't need one.
 RUN yes | xrdsssadmin -k eos-test del /etc/eos.keytab; \
-    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab; \
-    chown daemon:daemon /etc/eos.keytab
+    yes | xrdsssadmin -u daemon -g daemon -k eos-test+ -n 1234567890123456789 add /etc/eos.keytab
+
+# Setup keytab permissions
+RUN chown daemon:daemon /etc/eos.keytab; \
+    chmod 400 /etc/eos.keytab
 
 ENTRYPOINT ["/bin/bash"]
-- 
GitLab