Sane user JSON file permissions #165
Conversation
Creating ClientManager.writeUser().
JocelynDelalande
added
the
Type: Security
|
I think 0660 would be better than 0600. Most of the time, each user has its own group associated with it, and forcing it to 0600 can be really annoying for people who want to add users through a separate web server. With 0660, you can just add the webserver to the group and be fine, while with 0600 you're pretty much stuck having a job change them back to 0660. I really don't think this should be our responsibility to set those anyway. Doing that kind of thing is generally very annoying for sysadmins in my opinion because it overrides all the defaults that was set by the user. Plus, I don't know of any other software that does that, so I don't understand why we would want to do that. Additionally, this doesn't matter at all because one could also just chmod 0700 the home directory of the lounge to lock out everyone, so even if the files has been 0666 in the directory it still doesn't matter. I would rather add an instruction to the documentation that suggest putting the home directory to 0700 than being intrusive and do it our own stubborn way. I am tempted to give this a -1, so I would like to hear the opinions of other people on this. |
Avoid exposing hashed passwords to bruteforce from other system users.
JocelynDelalande
force-pushed
the
jd-sane-user-file-permissions
branch
from
2655719
to
ddfdf21
Compare
|
@maxpoulin64 Thanks for being sooo fast to answer :-)
Fair point. Edited accordingly.
Check how /etc/shadow (containing hashed passwords) is stored (0640), how SSH handle stores private key (0600, even when passphrase protected). In those examples the spirit is security by default rather than security for super-skilled adminsys elite. These are some cases where "system/user defaults" are not enough, because data is specially sensible, and thus software must make a permission choice to have security by default. On a end-user or easy-installable software (remember: lounge can even be run as a "desktop" IRC client), default behavior matter a lot in terms of security.
… but that's not the default on any distribution I know. Default settings is what matters for most users. |
|
(Not that it's any relevant for this PR, but the Ansible role I maintain for The Lounge sets permissions of the user configuration files to |
astorije
added
the
Type: Feature
| var users_path = Helper.HOME + "/users" ; | ||
| var user_path = users_path + "/" + userDict.user + ".json"; | ||
|
|
||
| mkdirp(users_path); |
There was a problem hiding this comment.
Should we set correct chmod here too? https://www.npmjs.com/package/mkdirp#mkdirpdir-opts-cb
There was a problem hiding this comment.
I don't think so. I'd stick to UNIX practices : user list can be viewed or not : responsibility of system/user conf (see /etc/passwd), but password are sensitive, so prevent world-reading (see /etc/shadow).
|
In light of the debate we are having, I think a better solution to avoid any problems would be to simply set A quick example of things that could be done that I would like to avoid breaking:
Which I repeat, would still be safe as long as |
The PR only deals with files, no dirs. |
I know, but I don't like it because it's really intrusive. So I suggest changing the permissions of only one directory instead, which is just as good. |
I'd say… do as you fancy, according to the needs of your role. Seems a sane setting for standard use though. To harden your configuration a bit you may want to tweak users directory, to something like 0770 or 0700 as well, depending if you use the group or not. It will protect even a user your create without ansible. |
|
@JocelynDelalande, @maxpoulin64, any news on this? |
@astorije All veto this and close it then. |
Follow up on thelounge#165 Closes thelounge#194
Follow up on thelounge#165 Closes thelounge#194
Follow up on thelounge#165 Closes thelounge#194
I don't get the link between the quote where I was answering astorije about his ansible role and the fact you veto & close. Maybe we misunderstood each other somewhere :-) |
|
I'd really like that we reach some consensus. So, here is a compromise proposal that may make it acceptable to you @maxpoulin64:
@maxpoulin64 and others, what do you think ? I'd wait for you approval before writing any line, don't want to waste time nb: unix ACL do the job the advanced needs you mention @maxpoulin64 , without adding a config option. |
|
Continuing from #205:
Absolutely not. This does nothing at all if the directory already exists, so you can set whatever you choose to. Once, and only if you didn't create it a dedicated home directory for your system service. This is not intrusive at all compared to shoving what we think is the best down the throat of everyone.
Why would you need sudo to read your own home directory? If you install The Lounge system-wide, you'll already have to create the appropriate directory in
That's getting really complicated to fix an edge case for people who sysadmin that shouldn't be allowed to admin a server. Linux has this config option built-in, and it's called the umask. The user shouldn't have to change options because we're doing stupid things we shouldn't be doing in the first place.
If I have to use ACLs to work around other software doing stupid things, something is seriously wrong.
That. A whole lot of that. Linux gives us all the tools needed to deal with that nativley, we have no reason to interfere with that. Literally no other software that I know of does that. |
|
Urgh, I must admit it's very confusing to revive a discussion on a closed PR while there is an open one with a start of discussion. I wish we had stayed on #205 for clarity...
I know I'm gonna be painted as the guy always against settings again (which is not true :p), but I'm very much against it.
I see ACLs as a powerful tool to match complex or very specific use cases. We are trying to find a go-to solution for a simple problem, so we should not expect admins to rely on ACLs to get things right. |
Following my comment suggesting this edit.