add docs on root owned files (#1041)

OSC · Dec 19, 2024 · 68495e1 · 68495e1
1 parent 5902433
commit 68495e1
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/source/reference/files/ondemand-d-ymls.rst b/source/reference/files/ondemand-d-ymls.rst
@@ -24,6 +24,10 @@ These properties support profile based configuration, see the :ref:`profile conf
              i.e. ``OOD_BRAND_BG_COLOR: '#0000ff'``. If you omit the quotes, YAML will see ``#`` as a comment and the value of the ``OOD_BRAND_BG_COLOR`` will be ``nil``
 
 
+.. warning::
+  OnDemand will only respond to root owned files. Configuration files
+  that are not owned by the root user (uid 0) will not be read.
+
 .. _profile_properties:
 
 Configuration Properties with profile support

diff --git a/source/release-notes/v4.0-release-notes.rst b/source/release-notes/v4.0-release-notes.rst
@@ -89,6 +89,19 @@ id of the form item will be lowercase as shown below.
 
   id="batch_connect_session_context_my_cool_form_item"
 
+Root owned configuration files
+******************************
+
+In an effort to increase the security of the Open OnDemand platform,
+the system will now start to only respond to root owned configuration
+files.
+
+This will mean that all configfuration files in ``/etc/ood/config``
+will need to be owned by the ``root`` user (uid 0) in order to be used.
+
+While these files need to be root owned, they can continue to have any
+group ownership.
+
 Deprecations
 ............