Problem
The deploy script does not create or set permissions on /opt/kairix/secrets.env. If an operator creates this file manually, it may be world-readable (mode 644), exposing API keys and passwords to all local users.
Required Permissions
-rw-r----- root:<service-group> /opt/kairix/secrets.env
Mode 640: readable by root and the service group, not world-readable.
Proposed Fix
The deploy script should:
- Create
/opt/kairix/secrets.env as an empty file if it doesn't exist
- Set
chmod 640 /opt/kairix/secrets.env
- Set
chown root:<kairix-service-group> /opt/kairix/secrets.env
- Ensure the kairix service user is a member of that group
If running without a dedicated service user, default to chmod 600 (owner-only).
The secret fetching script (issue #28) should apply these permissions after writing.
Acceptance Criteria
- After deploy,
stat /opt/kairix/secrets.env shows mode 640 or 600
- File is not world-readable
- Service account can read the file (is in the owning group)
- Deploy script errors or warns if it cannot set the correct permissions
Problem
The deploy script does not create or set permissions on
/opt/kairix/secrets.env. If an operator creates this file manually, it may be world-readable (mode 644), exposing API keys and passwords to all local users.Required Permissions
Mode
640: readable by root and the service group, not world-readable.Proposed Fix
The deploy script should:
/opt/kairix/secrets.envas an empty file if it doesn't existchmod 640 /opt/kairix/secrets.envchown root:<kairix-service-group> /opt/kairix/secrets.envIf running without a dedicated service user, default to
chmod 600(owner-only).The secret fetching script (issue #28) should apply these permissions after writing.
Acceptance Criteria
stat /opt/kairix/secrets.envshows mode640or600