Some files with sensitive information can be read by normal users #4
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
For example,
/etc/synapse/homeserver.yaml
is world readable and contains important passwords in plaintext. Please report here any other such files if you find them.The Synapse config file is fixed now. Please report any other files with sensitive information if you find them!
I found two more after setting up Drone #12:
/etc/systemd/system/drone.service.d/override.conf
and/etc/systemd/system/drone-runner-exec.service.d/override.conf
. Unfortunately,systemctl show
will reveal the contents even if the files aren't world-readable, but we can use aEnvironmentFile
instead in thesystemd
service file.Closing for now since I think we found and fixed all of world-readable files with sensitive contents. If you all find any more, just reopen this issue.
Might want to check if any of the log files such as
/var/log/nginx
are readable or contain sensitive information.Restricted permissions on the
/var/lib/mastodon
,/var/lib/peertube
, and/var/log/nginx
folders.Did the same with
/etc/redis/redis.conf
. How did we not catch that one?Let's leave
/var/lib/mastodon
and/var/lib/peertube
as755
to prevent permissions issues.Fixed permissions on the
/etc/peertube
directory.OK, so I ended up using
750
permissions on most sensitive folders in/var/lib
and added thehttp
user (for the web server) to some groups to get access to those folders.I don't think this issue is as problematic anymore, since we no longer use password authentication for Redis or PostgreSQl and use Unix sockets instead. That's like 15 fewer passwords to worry about.
Closing since I think we fixed all of these files.