Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SQLite database is world-readable by default #82

Closed
Ajedi32 opened this issue May 8, 2018 · 2 comments
Closed

SQLite database is world-readable by default #82

Ajedi32 opened this issue May 8, 2018 · 2 comments
Labels
bug security

Comments

@Ajedi32
Copy link
Contributor

Ajedi32 commented May 8, 2018

The acme-dns database contains sensitive information such as API keys, and should not be readable by other Linux users by default. However, when I run acme-dns it creates the acme-dns.db file with its permission bits set to 644.
@joohoi
Copy link
Owner

joohoi commented May 14, 2018

This definitely is a bug, and should be fixed! Thanks for opening the issue!

serge-name added a commit to serge-name/acme-dns that referenced this issue May 28, 2018
@serge-name
create non-world-readable files (joohoi#82)
2926270
@Ajedi32
Copy link
Contributor Author

Ajedi32 commented Aug 3, 2018

Worth noting this issue is somewhat mitigated by the fact that the API keys are randomly generated, 40 characters long, and hashed with Bcrypt, so a database leak is very unlikely to result in usable credentials for an attacker.

@joohoi joohoi mentioned this issue Aug 12, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Ajedi32 @joohoi