search

atomicdata-dev / atomic-server

An open source headless CMS / real-time database. Powerful table editor, full-text search, and SDKs for JS / React / Svelte.
https://atomicserver.eu
MIT License
1.03k stars 46 forks source link

sensitive data stored world readable #325

Open jonassmedegaard opened 2 years ago

jonassmedegaard commented 2 years ago

When atomic-server is initially started, it creates directory ~/.config/atomic and when admin profile is created it stores its private key in ~/.config/atomic/config.toml.

Both directory and file are created with default access rights 0755, i.e. group and world readable.

That is insecure!

TOML file should never be world readable. I.e. the

I recommend to ensure that the process creating the TOML file first sets an umask of 057 so that the file is newer world readable, not only for a moment initially.

If other files e.g. the database never need to be accessed directly, only through atomic-server, then I recommend to do the same before creating the directory.

It might also make sense to check at each startup if TOML file (and maybe also its directory) is world readable, and if it is then refuse to start with an explanation that it is insecure and needs tightening.

joepio commented 2 years ago

Thanks, good catch. I’m pretty unfamiliar with this terrain, any help is appreciated. I think Rust’s fs::PermissionsExt will help. @jonassmedegaard what is a semsible ‘mode’ for the config file?

https://doc.rust-lang.org/std/os/unix/fs/trait.PermissionsExt.html

theres a umask crate that may help with mapping unix modes

https://docs.rs/umask/0.1.5/umask/

jonassmedegaard commented 2 years ago

Most important is to not permit world read access. Arguably it is ok to permit group read (because only trusted users should be in the default group).

There are two ways to express the constraint - umask and mode. Umask is part of the UNIX environment and is used to resolve default mode when no explicit mode is declared. Some sloppy tools might first create files/dirs with default mode and only afterwards change access rights to match a declared mode. That's the reason I talk about setting umask even though technically what is applied is always a mode.

Umask and mode can be expressed either as octal numbers or semantically.

A more relaxed setup not allowing world read (but tolerating group read) is achieved by setting umask 027 which results in tools by default applying mode 750 for directories and 640 for files - or semantically expressed applying mode user=read+write+exec,group=read+exec,world=none for directories and user=read+write,group=read,world=none for files.

A strict setup restricting not allowing group or world read is achieved by setting umask 077 which results in tools by default applying mode 700 for directories and 600 for files - or semantically expressed applying mode user=read+write+exec,group+world=none for directories and user=read+write,group+world=none for files.