-
Notifications
You must be signed in to change notification settings - Fork 8
Permissions in data dir: Salt #80
Comments
Basically it is world readable so that it works even on badly configured sites. The salt is used to:
As it lives in the This file is automatically created by the PHP process, it should always be created belonging to the right user. Hence it should be safe to create it with just 640 or even 600 permissions. |
Thanks for your reply. (But where are visual hashes used in the discussion?) So anyway...
Does that mean you'll change it, so that it applies these permissions? |
Yes I will change it, but I will focus on the other issues first. I do assign the issues to myself when I plan to work on them. |
BTW the Salt is also used for hashing (or HMACing) the IP addresses for IP limiting. |
I think the permission might be set here. It might also affect other files in the data dir, but well... limiting permissions a bit more should not hurt. |
That's the right place and a chmod after the file_put_contents will do the trick. We do have unit tests in place to check if it can be retrieved after being written for the various classes that extend this. |
Currently the file
salt.php
is created with 644 permissions in the data dir.I'm not sure for what this salt is used, but anyway I think it should not be world-readable as a salt is usually something which should be kept secret.
It is not that bad as salts are usually not such a secret information, but it really depends on what you use this Salt for...
The text was updated successfully, but these errors were encountered: