search

HaschekSolutions / pictshare

:camera: PictShare is an open source image, mp4, pastebin hosting service with a simple resizing and upload API that you can host yourself. :rice_scene:
https://www.pictshare.net
Apache License 2.0
840 stars 125 forks source link

File permissions and ownership #121

Closed Nutomic closed 4 years ago

Nutomic commented 4 years ago

It looks like all pictshare images are world writable and executable. And they are owned by systemd-network for some reason. That looks extremely bad for security.

$ ls -la volumes/pictshare/
drwxrwxrwx    2 systemd-network systemd-journal   4096 Jun  3 19:57 008jwy.jpg
geek-at commented 4 years ago

it's not owned by systemd. The docker container doesn't even have systemd. What you are seeing as "systemd" is just what your computer names the group number (groups in linux are identified via numbers not names). The container is running it as "nginx"

confirm using: docker exec -it pictshare ls -al data/

But yes the permissions might be too open since I had many weeks of troubles with nginx and docker not being allowed to save to directories or read files. You're welcome to add pull request on the docker side of things because it seems to be over my head