-
Notifications
You must be signed in to change notification settings - Fork 297
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade setting permissions on weewx.conf #948
Comments
Good point. We'll take a look at it. |
which files should have 660 permissions? each time the config file is modified by weectl, weectl makes a copy. weectl does not ensure 660 permissions. during and upgrade, there may be many copies of the config file. all of those should have the same permissions as the 'active' config file. if it is weewx-multi configuration, there will be multiple 'active' config files. so i'm not sure what the right approach is here. option 1: only modify permissions and ownership when upgrading from a v4 to v5 option 2: always set permissions and ownership option 3: always set permissions and ownership, but set permissions on every |
The only file that bothered me from a security perspective is the /etc/weewx/weewx.conf file as it has login details for 3rd party sites that might be sensitive information. You are right to point out that often has version copies/diffs placed in the same directory with differing names (sometimes appended to the '.conf' side) so all potentially have such information. In terms of options then your 'option 3' seems the simplest and safest. My initial thought was based on looking at the
This might not be perfect as there remains a window of opportunity from setting all files globally readable to removing that on the conf file(s) but given:
It would seem quite acceptable to me. |
this is what i was thinking. |
I don't understand much about the package manager process, but that seemed like the sort of change that ought to work. |
this will appear in weewx 5.1.0 |
It appears that the upgrade process for WeeWX re-sets permissions on the /etc/weewx directory including weewx.conf and that makes the config file world-readable. However, that file can include user name and password combinations for interfacing to 3rd party sites for ftp upload, Wunderground, etc, and those should not be readable by world+dog on any multi-user system.
Would it make more sense for that file to be always set to 660 permission and any user that needs non-sudo ability to edit or read the file is then added to the weewx group?
The text was updated successfully, but these errors were encountered: