exozyme/exozyme
7
12
Fork 0
Code Issues 4 Pull requests Projects Releases 39 Wiki Activity

Some files with sensitive information can be read by normal users #4

New issue
Closed
opened 2021-08-11 20:05:52 +00:00 by a · 11 comments
a commented 2021-08-11 20:05:52 +00:00
Owner
Copy link

For example, /etc/synapse/homeserver.yaml is world readable and contains important passwords in plaintext. Please report here any other such files if you find them.

For example, `/etc/synapse/homeserver.yaml` is world readable and contains important passwords in plaintext. Please report here any other such files if you find them.
a added the
help wanted
 label 2021-08-11 20:05:52 +00:00
a added this to the (deleted) project 2021-08-12 22:00:34 +00:00
a commented 2021-08-12 22:03:47 +00:00
Author
Owner
Copy link

The Synapse config file is fixed now. Please report any other files with sensitive information if you find them!

The Synapse config file is fixed now. Please report any other files with sensitive information if you find them!
a added the
security
 label 2021-08-15 15:14:26 +00:00
a added this to the v5.0 milestone 2021-10-31 15:17:30 +00:00
a commented 2021-11-01 21:58:47 +00:00
Author
Owner
Copy link

I found two more after setting up Drone #12: /etc/systemd/system/drone.service.d/override.conf and /etc/systemd/system/drone-runner-exec.service.d/override.conf. Unfortunately, systemctl show will reveal the contents even if the files aren't world-readable, but we can use a EnvironmentFile instead in the systemd service file.

I found two more after setting up Drone #12: `/etc/systemd/system/drone.service.d/override.conf` and `/etc/systemd/system/drone-runner-exec.service.d/override.conf`. Unfortunately, `systemctl show` will reveal the contents even if the files aren't world-readable, but we can use a `EnvironmentFile` instead in the `systemd` service file.
a removed this from the v5.0 milestone 2021-11-03 00:39:13 +00:00
a commented 2021-11-13 03:39:49 +00:00
Author
Owner
Copy link

Closing for now since I think we found and fixed all of world-readable files with sensitive contents. If you all find any more, just reopen this issue.

Closing for now since I think we found and fixed all of world-readable files with sensitive contents. If you all find any more, just reopen this issue.
a closed this issue 2021-11-13 03:39:49 +00:00
a commented 2021-12-05 18:32:44 +00:00
Author
Owner
Copy link

Might want to check if any of the log files such as /var/log/nginx are readable or contain sensitive information.

Might want to check if any of the log files such as `/var/log/nginx` are readable or contain sensitive information.
a reopened this issue 2021-12-05 18:32:45 +00:00
a commented 2021-12-16 13:53:22 +00:00
Author
Owner
Copy link

Restricted permissions on the /var/lib/mastodon, /var/lib/peertube, and /var/log/nginx folders.

Restricted permissions on the `/var/lib/mastodon`, `/var/lib/peertube`, and `/var/log/nginx` folders.
a commented 2021-12-16 14:03:00 +00:00
Author
Owner
Copy link

Did the same with /etc/redis/redis.conf. How did we not catch that one?

Did the same with `/etc/redis/redis.conf`. How did we not catch that one?
a closed this issue 2021-12-16 14:13:13 +00:00
a commented 2021-12-16 14:32:32 +00:00
Author
Owner
Copy link

Let's leave /var/lib/mastodon and /var/lib/peertube as 755 to prevent permissions issues.

Let's leave `/var/lib/mastodon` and `/var/lib/peertube` as `755` to prevent permissions issues.
a commented 2022-01-05 02:19:26 +00:00
Author
Owner
Copy link

Fixed permissions on the /etc/peertube directory.

Fixed permissions on the `/etc/peertube` directory.
a reopened this issue 2022-01-06 01:11:59 +00:00
abheekd was assigned by a 2022-01-06 01:12:06 +00:00
a commented 2022-01-11 03:59:03 +00:00
Author
Owner
Copy link

OK, so I ended up using 750 permissions on most sensitive folders in /var/lib and added the http user (for the web server) to some groups to get access to those folders.

OK, so I ended up using `750` permissions on most sensitive folders in `/var/lib` and added the `http` user (for the web server) to some groups to get access to those folders.
a commented 2022-01-11 03:59:43 +00:00
Author
Owner
Copy link

I don't think this issue is as problematic anymore, since we no longer use password authentication for Redis or PostgreSQl and use Unix sockets instead. That's like 15 fewer passwords to worry about.

I don't think this issue is as problematic anymore, since we no longer use password authentication for Redis or PostgreSQl and use Unix sockets instead. That's like 15 fewer passwords to worry about.
a commented 2022-01-18 17:44:49 +00:00
Author
Owner
Copy link

Closing since I think we fixed all of these files.

Closing since I think we fixed all of these files.
a closed this issue 2022-01-18 17:44:49 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
v9.0
v8.8
v8.7
v8.6
v8.5
v8.4
v8.3
v8.2
v8.1
v8.0
v7.10
v7.9
v7.8
v7.7
v7.6
v7.5
v7.4
v7.3
v7.2
v7.1
v7.0
v6.1
v6.0
v5.1
v5.0
v4.2
v4.1
v4.0
v3.0
v2.5
v2.4
v2.3
v2.2
v2.1
v2.0
v1.3
v1.2
v1.1
v1.0
v0.3-beta
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
security

Security vulnerability

  
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
invalid
question
security
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
abheekd
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: exozyme/exozyme#4
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?