File permissions on config files should allow more restrictive setting #965

leitzler · 2018-12-06T12:11:40Z

The config files must have 0640 as file permission, otherwise the proxy won't start. This check should be a mask check to allow a more restrictive permission (like 0600, 0400, etc)

athens/pkg/config/config.go

Lines 149 to 151 in 48f7ca7

    
           // Assume unix based system (MacOS and Linux) 
        
           if fInfo.Mode() != 0640 { 
        
           	return errors.E(op, f+" should have 0640 as permission")

Environment (please complete the following information):

OS: linux
Go version : 1.11.2
Buffalo Version : -
Proxy version : master
Storage (fs/mongodb/s3 etc.) : mem/file

leitzler · 2018-12-08T23:35:43Z

Ok, so I also noticed that is is only the filter file that is checked.
I would say that is way more important to check the actual config file permissions since it can contain secrets like credentials for 3rd party services and such.

manugupt1 mentioned this issue Dec 6, 2018

File permissions on config files allow more restrictive setting #966

Merged

arschles added the bug Something isn't working label Dec 6, 2018

arschles added this to the v0.3.0 milestone Dec 6, 2018

arschles added the good first issue Great issues for new Athenians to work on! label Dec 6, 2018

marpio closed this as completed in #966 Dec 18, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

File permissions on config files should allow more restrictive setting #965

File permissions on config files should allow more restrictive setting #965

leitzler commented Dec 6, 2018

leitzler commented Dec 8, 2018

File permissions on config files should allow more restrictive setting #965

File permissions on config files should allow more restrictive setting #965

Comments

leitzler commented Dec 6, 2018

leitzler commented Dec 8, 2018