Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User: fix file permissions on create #4507

Merged
merged 1 commit into from
Apr 12, 2022
Merged

User: fix file permissions on create #4507

merged 1 commit into from
Apr 12, 2022

Conversation

brunnre8
Copy link
Member

@brunnre8 brunnre8 commented Mar 7, 2022

User files contain secrets and should be protected.
Chances are that the user folder can be protected as well,
so let's do that if TL is creating the folder.

@brunnre8
User: fix file permissions on create
8fdf2e6 
User files contain secrets and should be protected.
Chances are that the user folder can be protected as well,
so let's do that if TL is creating the folder.
@itsjohncs
Copy link
Member

Did you test this by bringing up a clean install? Seems fine looking at the code but that seems like a worthwhile check to make sure nothing falls down.

@itsjohncs itsjohncs self-assigned this Mar 8, 2022
@itsjohncs itsjohncs added the Type: Feature Tickets that describe a desired feature or PRs that add them to the project. label Mar 8, 2022
@itsjohncs itsjohncs added this to the 4.3.2 milestone Mar 8, 2022
@brunnre8
Copy link
Member Author

brunnre8 commented Mar 8, 2022

Yes:

[drwx------ reto     reto    ]  /tmp/theloungedir
├── [-rw-r--r-- reto     reto    ]  config.js
├── [drwxr-x--- reto     reto    ]  logs
├── [drwxr-xr-x reto     reto    ]  packages
│   ├── [drwxr-xr-x reto     reto    ]  node_modules
│   └── [-rw-r--r-- reto     reto    ]  package.json
├── [drwx------ reto     reto    ]  users
│   └── [-rw------- reto     reto    ]  dummy.json
└── [-rw------- reto     reto    ]  vapid.json

After setting THELOUNGE_HOME to a new dir, starting the server and a single user add.

Only thing that's not currently protected is the packages folder, which might need to be protected if plugins do something sensitive, but I think they can do it themselves if they care.

itsjohncs
itsjohncs approved these changes Mar 9, 2022
View reviewed changes
Copy link
Member

@itsjohncs itsjohncs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for confirming.

@brunnre8 brunnre8 added the Status: release-after-next reviewed and ready to merge, postponed to release after next (feature freeze of current release) label Mar 9, 2022
@MaxLeiter MaxLeiter removed the Status: release-after-next reviewed and ready to merge, postponed to release after next (feature freeze of current release) label Apr 12, 2022
@MaxLeiter MaxLeiter merged commit d7bba32 into master Apr 12, 2022
@MaxLeiter MaxLeiter deleted the bookworm/safePerms branch April 12, 2022 00:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@itsjohncs itsjohncs itsjohncs approved these changes

Assignees

@itsjohncs itsjohncs

Labels
Type: Feature Tickets that describe a desired feature or PRs that add them to the project.
Projects
None yet
Milestone
5.0.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@brunnre8 @itsjohncs @MaxLeiter