Re: possible? less restrictive file permissions
Hi Raulo, On 08/23/2018 08:04 AM, Raulo Olapodrido wrote: Hi all, thank you for your suggestions, but a commonly shared local git repository is not what I am looking for. I am rather seeking ways to just use something like PASSWORD_STORE_DIR=/var/local/password-store pass and have all users directly work in that directory, git aside. This currently is not possible, because new files (for example generated via "pass insert") are getting a file permission mask of 0600, and no other user than its creator can read its contents. The restrictive permission mask may be good practice, but seems to be unnessecary, because the content is already protected by the encryption. Furthermore, it disables the use of a commonly shared password store. Or am I missing something? yes, you are missing the pass manpage :-): $PASSWORD_STORE_UMASK sets the umask for the password store. As I alredy wrote, we are using a shared directory (NFS share, no git) in the group and it works just fine. frank ___ Password-Store mailing list Password-Store@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/password-store
Re: possible? less restrictive file permissions
Ha! PASSWORD_STORE_UMASK seems to be exactly what I was looking for. How did I miss that?! Thanks a ton! Am 23.08.18 um 08:18 schrieb Sebastian Reuße: > Raulo Olapodrido writes: > >> and have all users directly work in that directory, git aside. >> >> This currently is not possible, because new files (for example >> generated via "pass insert") are getting a file permission mask of >> 0600, and no other user than its creator can read its contents. >> >> The restrictive permission mask may be good practice, but seems to be >> unnessecary, because the content is already protected by the >> encryption. Furthermore, it disables the use of a commonly shared >> password store. > > It looks like pass applies umask of 077 by default, but you can set a > less restrictive mask by setting PASSWORD_STORE_UMASK to a value of > your liking. E.g., «export PASSWORD_STORE_UMASK=007» should give full > access to your user group for newly created files. > > However, sharing a git repository and working directory among multiple > users might cause you some problems (which you may already have > considered). E.g., users might interact with the repository without > using a permissive umask (either by not setting PASSWORD_STORE_UMASK > or by using git directly with their default umask) or with their > primary user group set to something unexpected. > > Kind regards, > > SR > ___ Password-Store mailing list Password-Store@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/password-store
Re: possible? less restrictive file permissions
Raulo Olapodrido writes: and have all users directly work in that directory, git aside. This currently is not possible, because new files (for example generated via "pass insert") are getting a file permission mask of 0600, and no other user than its creator can read its contents. The restrictive permission mask may be good practice, but seems to be unnessecary, because the content is already protected by the encryption. Furthermore, it disables the use of a commonly shared password store. It looks like pass applies umask of 077 by default, but you can set a less restrictive mask by setting PASSWORD_STORE_UMASK to a value of your liking. E.g., «export PASSWORD_STORE_UMASK=007» should give full access to your user group for newly created files. However, sharing a git repository and working directory among multiple users might cause you some problems (which you may already have considered). E.g., users might interact with the repository without using a permissive umask (either by not setting PASSWORD_STORE_UMASK or by using git directly with their default umask) or with their primary user group set to something unexpected. Kind regards, SR -- Insane cobra split the wood Trader of the lowland breed Call a jittney, drive away In the slipstream we will stay ___ Password-Store mailing list Password-Store@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/password-store
Re: possible? less restrictive file permissions
Hi all, thank you for your suggestions, but a commonly shared local git repository is not what I am looking for. I am rather seeking ways to just use something like PASSWORD_STORE_DIR=/var/local/password-store pass and have all users directly work in that directory, git aside. This currently is not possible, because new files (for example generated via "pass insert") are getting a file permission mask of 0600, and no other user than its creator can read its contents. The restrictive permission mask may be good practice, but seems to be unnessecary, because the content is already protected by the encryption. Furthermore, it disables the use of a commonly shared password store. Or am I missing something? Thanks and kind regards Am 23.08.18 um 07:42 schrieb Sebastian Reuße: > > William Morris writes: > >> I'd like to see an automatic `push` config or command option in `pass`. > > The most straightforward way to achieve this would be to install a > post-commit hook to fetch, merge/rebase and then push after a commit, > or am I missing something? > > Kind regards, > > SR > ___ Password-Store mailing list Password-Store@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/password-store
Re: possible? less restrictive file permissions
William Morris writes: I'd like to see an automatic `push` config or command option in `pass`. The most straightforward way to achieve this would be to install a post-commit hook to fetch, merge/rebase and then push after a commit, or am I missing something? Kind regards, SR -- Insane cobra split the wood Trader of the lowland breed Call a jittney, drive away In the slipstream we will stay ___ Password-Store mailing list Password-Store@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/password-store
Re: possible? less restrictive file permissions
Hi Raulo, On 08/22/2018 03:10 PM, Raulo Olapodrido wrote: Hi list, I would like to use Ansible's pass plugin to extend Ansible with a flexible database for sensitive information (passwords, certificates etc). This works very well(!) for a single user. By using gpg's group feature, it is possible to encrypt entries for multiple users. Yay! Still, the pass directory is in the user's own home directories, and have to be pulled from/pushed to a common git repository, to be shared with everyone. That's not completely correct: The pass directory can be in /any/ location (the environment variable $PASSWORD_STORE_DIR controls this). We use a password store within a group where the directory is in a shared location (NFS mounted directory). That works fine and no pull/push is required. I always found the idea to share a password store by git unpractical. I cannot imagine, that you don't get out of sync within a very, very short time ;-) Cheers frank While this is natural to some, some users not used to Git will have problems, like forgetting to pull/push, and being unable to handle conflicts. Some of that can be made easier with automatic pull/push in ~/.bashrc and ~/.bash_logout respectively. However, a common local directory seems more approachable to me. The problem is, that newly created files get very restrictive file permissions, and cannot be read by other users, even of the same group. I did not find remedies in the mailing list archive. Does anyone have an idea what could be tried? Thanks! Raulo ___ Password-Store mailing list Password-Store@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/password-store ___ Password-Store mailing list Password-Store@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/password-store