Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Excessive (executable) file's permissions for non executable files #60

Closed
CompuRoot opened this issue May 21, 2022 · 1 comment
Closed

Excessive (executable) file's permissions for non executable files #60

CompuRoot opened this issue May 21, 2022 · 1 comment
Labels
bug Something isn't working

Comments

@CompuRoot
Copy link

Environment

Item description
gokapi Ver: 1.5.1
Host Linux amd64

Files with insecure permissions

file current permission should be
./config/ssl.crt 700 600
./config/ssl.key 700 600
./data/filestorage.db/meta.json 700 600

Also, suggestion to set more secure permissions on log and uploaded content

./data/log.txt
as well uploaded blobs (filenames as hashes) should have permissions 600 instead of 644
@Forceu
Copy link
Owner

Forceu commented May 21, 2022
edited

Thank you for your issue! As the data folder has the permission 700, it is not a serious security risk for now, as the data in the folder with permissions 644 is still unreadable for unauthorised users. I will change that with the next commit.

./data/filestorage.db/meta.json is created by a library, I would rather not change the permission manually, as is having the executable bit is not really a big concern.

I will change the ssl certificate permissions however.

@Forceu Forceu added the enhancement New feature or request label May 21, 2022
Forceu added a commit that referenced this issue May 21, 2022
@Forceu
Fix file permissions for created files #60, export variable to disabl…
37facb9 
…e flag parsing
@Forceu Forceu closed this as completed May 21, 2022
@Forceu Forceu added bug Something isn't working and removed enhancement New feature or request labels May 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@CompuRoot @Forceu