VAULT-12299 Use file.Stat when checking file permissions

[miagilepner]

VAULT_ENABLE_FILE_PERMISSIONS_CHECK can be bypassed if the file is modified in between the time its ownership is checked, and the time it is opened. This PR opens the config files first, then uses the file pointers to perform the ownership checks.

There isn't a test for the actual attack, because any test requires multiple OS users, which is difficult to do from Go test code. To reliably test the time of check vs time of use difference, you'd also need to be able to make a sigaction() syscall to perform the ownership change. It doesn't seem worth it to create an enos scenario for a scenario this simple.

[finnigja]

Note that this was in response to a report by an external researcher to security@hashicorp.com. After triage / investigation, we decided not to issue a CVE for this issue, as code execution on the underlying host is not within Vault’s security model.

An adversary with code execution or write privileges on the host is not something Vault can effectively defend against as a standalone Golang binary. This opt-in feature represents a best effort to reduce the likelihood of misconfigurations, and we decided to make the suggested changes nonetheless as to adhere to file handling best practices.

Thanks for Giuseppe Cocomazzi and the Sysdig team for the report.