From d198560e208f6a4c0b978fc10bfac67ad4231268 Mon Sep 17 00:00:00 2001 From: hc-github-team-nomad-core <82989552+hc-github-team-nomad-core@users.noreply.github.com> Date: Fri, 22 Nov 2024 19:33:21 +0100 Subject: [PATCH] backport of commit 368241dbf25e95a65751c24217fccce7f5931953 (#24543) Co-authored-by: Piotr Kazmierczak <470696+pkazmierczak@users.noreply.github.com> --- .changelog/24540.txt | 3 +++ command/agent/host/host.go | 16 ++++++++++------ command/agent/host/host_test.go | 4 ++++ website/content/docs/configuration/client.mdx | 9 +++++++++ .../content/docs/upgrade/upgrade-specific.mdx | 8 ++++++++ 5 files changed, 34 insertions(+), 6 deletions(-) create mode 100644 .changelog/24540.txt diff --git a/.changelog/24540.txt b/.changelog/24540.txt new file mode 100644 index 00000000000..79c5aa1cd11 --- /dev/null +++ b/.changelog/24540.txt @@ -0,0 +1,3 @@ +```release-note:security +security: Added more host environment variables to the default deny list for tasks +``` diff --git a/command/agent/host/host.go b/command/agent/host/host.go index edd9b6d313c..666f22affeb 100644 --- a/command/agent/host/host.go +++ b/command/agent/host/host.go @@ -96,12 +96,16 @@ func environment() map[string]string { // Update https://developer.hashicorp.com/nomad/docs/configuration/client#env-denylist // whenever this is changed. var DefaultEnvDenyList = []string{ - "CONSUL_TOKEN", - "CONSUL_HTTP_TOKEN", - "VAULT_TOKEN", - "NOMAD_LICENSE", - "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN", - "GOOGLE_APPLICATION_CREDENTIALS", + // product tokens + "CONSUL_TOKEN", "CONSUL_HTTP_TOKEN", "CONSUL_HTTP_TOKEN_FILE", "NOMAD_TOKEN", "VAULT_TOKEN", + // licenses + "CONSUL_LICENSE", "NOMAD_LICENSE", "VAULT_LICENSE", + // license paths + "CONSUL_LICENSE_PATH", "NOMAD_LICENSE_PATH", "VAULT_LICENSE_PATH", + // AWS sensitive variables + "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN", "AWS_METADATA_URL", + // GCP sensitive variables + "GOOGLE_APPLICATION_CREDENTIALS", "GOOGLE_OAUTH_ACCESS_TOKEN", } // makeEnvRedactSet creates a set of well known environment variables that should be diff --git a/command/agent/host/host_test.go b/command/agent/host/host_test.go index 8c9e2e8e619..7fbca180f4e 100644 --- a/command/agent/host/host_test.go +++ b/command/agent/host/host_test.go @@ -25,6 +25,8 @@ func TestMakeHostData(t *testing.T) { t.Setenv("BOGUS_TOKEN", "foo") t.Setenv("BOGUS_SECRET", "foo") t.Setenv("ryanSECRETS", "foo") + t.Setenv("CONSUL_LICENSE_PATH", "foo") + t.Setenv("AWS_ACCESS_KEY_ID", "foo") host, err := MakeHostData() must.NoError(t, err) @@ -38,4 +40,6 @@ func TestMakeHostData(t *testing.T) { must.Eq(t, "", host.Environment["BOGUS_TOKEN"]) must.Eq(t, "", host.Environment["BOGUS_SECRET"]) must.Eq(t, "", host.Environment["ryanSECRETS"]) + must.Eq(t, "", host.Environment["CONSUL_LICENSE_PATH"]) + must.Eq(t, "", host.Environment["AWS_ACCESS_KEY_ID"]) } diff --git a/website/content/docs/configuration/client.mdx b/website/content/docs/configuration/client.mdx index bf4ef73f769..1c4e6b6f38b 100644 --- a/website/content/docs/configuration/client.mdx +++ b/website/content/docs/configuration/client.mdx @@ -304,12 +304,21 @@ see the [drivers documentation](/nomad/docs/drivers). ```text CONSUL_TOKEN CONSUL_HTTP_TOKEN + CONSUL_HTTP_TOKEN_FILE + NOMAD_TOKEN VAULT_TOKEN + CONSUL_LICENSE NOMAD_LICENSE + VAULT_LICENSE + CONSUL_LICENSE_PATH + NOMAD_LICENSE_PATH + VAULT_LICENSE_PATH AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN + AWS_METADATA_URL GOOGLE_APPLICATION_CREDENTIALS + GOOGLE_OAUTH_ACCESS_TOKEN ``` - `"user.denylist"` `(string: see below)` - Specifies a comma-separated diff --git a/website/content/docs/upgrade/upgrade-specific.mdx b/website/content/docs/upgrade/upgrade-specific.mdx index 296aefdc0f5..1575cf8caa8 100644 --- a/website/content/docs/upgrade/upgrade-specific.mdx +++ b/website/content/docs/upgrade/upgrade-specific.mdx @@ -13,6 +13,14 @@ upgrade. However, specific versions of Nomad may have more details provided for their upgrades as a result of new features or changed behavior. This page is used to document those details separately from the standard upgrade flow. +## Nomad 1.9.4 + +In Nomad 1.9.4, the [default client env deny +list](/nomad/docs/configuration/client#env-denylist) includes additional +environment variables to improve security. Users who need some of these secure +environment variables passed to their tasks should consult the list and +overwrite it in the configuration. + ## Nomad 1.9.3 In Nomad 1.9.3, the mechanism used for calculating when objects are eligible