New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] Wrong permissions in grafana package for grafana.db #8283
Comments
|
I think Grafana needs to change the file permission after the db file is created (first startup). It is created by sqlite though so has to happen after db is initialized. |
|
It's possible to create an empty Alternatively the permissions of the |
|
Yes, the permission of the /var/lib/grafana directory should be updated as well. Is there any plan to fix this potential security issue or users have to run some manual mitigations by themselves? |
|
How did you install Grafana? What package? |
From the FHS standard:
So yeah, I agree that permissions on both grafana.db (after creation) and the directory itself could be closed. I think setting 750 on the directory makes sense, but grafana.db probably needs to be 600. This might not really matter as I doubt anybody puts themselves in the 'grafana' group but who knows - I can envision such a thing being useful as a way to sideload plugins. Certain individual directories within /var/lib/grafana are already closed to world access. Something must set them that way. |
|
Looking into how to solve this. |
|
@marefr @bergquist Do you know where the permissions on /var/lib/grafana are dictated? Should we change its permissions to 750? |
|
I've made a PR to change SQLite file permissions to 0600. |
It looks like in #2126 there were plans to lock down the sqlite DB to 0600. While grafana.ini did get locked down, the DB did not. Unless this is no longer believed to be necessary I could try to send a PR.
The text was updated successfully, but these errors were encountered: