Packaging: Remove world read perms from st2.conf

cognifloyd · cognifloyd · commit ae649f9a7a12 · 2025-04-14T10:13:08.000-05:00
When testing the packages, we should discover any non-root processes
that rely on access to st2.conf. Hopefully giving them access will be as
simple as switching the group to ST2_SVC_USER. Otherwise, we might need
to revert this change and make st2.conf world readable.

Also note that ST2 now supports passing secrets in env vars. So, people
could theoretically include the secrets in systemd conf files that are
only accessible by root. If any utils, like st2ctl, need access to those
secrets, however, they will need to get them from somewhere else if they
are not in st2.conf.
diff --git a/conf/BUILD b/conf/BUILD
@@ -94,6 +94,11 @@ nfpm_content_files(
     file_group="root",
     file_mode="rw-r--r--",
     overrides={
+        "/etc/st2/st2.conf": dict(
+            # st2.conf typically contains secrets, so it is not world readable.
+            file_mode="rw-r-----",  # NOTE: Packaging used to install this world readable.
+            # TODO: Maybe set file_group=ST2_SVC_USER if a non-root process needs access.
+        ),
         "/etc/st2/htpasswd": dict(
             file_owner=ST2_SVC_USER,
             file_group=ST2_SVC_USER,
