Permissions in data dir: Salt

[rugk]

Currently the file salt.php is created with 644 permissions in the data dir.
I'm not sure for what this salt is used, but anyway I think it should not be world-readable as a salt is usually something which should be kept secret.

It is not that bad as salts are usually not such a secret information, but it really depends on what you use this Salt for...

[elrido]

Basically it is world readable so that it works even on badly configured sites.

The salt is used to:

• generate unique VizHash in discussions (which are not reproductible across ZeroBin servers)
• generate unique deletion token (which are not re-usable across ZeroBin servers)

As it lives in the data directory, it would be best if that folder is moved to another directory outside of the document root.

This file is automatically created by the PHP process, it should always be created belonging to the right user. Hence it should be safe to create it with just 640 or even 600 permissions.

[rugk]

Thanks for your reply. (But where are visual hashes used in the discussion?)

So anyway...

Hence it should be safe to create it with just 640 or even 600 permissions.

Does that mean you'll change it, so that it applies these permissions?

[elrido]

Yes I will change it, but I will focus on the other issues first. I do assign the issues to myself when I plan to work on them.

[rugk]

BTW the Salt is also used for hashing (or HMACing) the IP addresses for IP limiting.

[rugk]

I think the permission might be set here. It might also affect other files in the data dir, but well... limiting permissions a bit more should not hurt.

[elrido]

That's the right place and a chmod after the file_put_contents will do the trick. We do have unit tests in place to check if it can be retrieved after being written for the various classes that extend this.