LeastAuthority / althea-net-gravity-private

An internal fork of the Gravity bridge repo for internal work
Apache License 2.0
0 stars 0 forks source link

Permissions for keys.json file storing orchestrator keys are insecure #5

Open dnkolegov opened 2 years ago

dnkolegov commented 2 years ago

An orchestrator stores private keys in the keys.json file with permissions 644. That file is stored in the directory .gbt with permissions 755. So any user on the host can read private keys.

The vulnerable function is located here To reproduce the issue just run:

gbt init
gbt keys set-ethereum-key --key 1234747479292949494949494394934934934939434323435345345345345355
gbt keys show
ls -al ./gbt

image

jkilpatr commented 2 years ago

this is a good note, the file should be created with correct permissions.