search

danb35 / freenas-iocage-nextcloud

Script to create an iocage jail on FreeNAS for the latest Nextcloud 28 release, including Caddy, MariaDB or PostgreSQL, and Let's Encrypt
GNU General Public License v3.0
258 stars 70 forks source link

Improvement to redis socket security #121

Closed samuel-emrys closed 4 years ago

samuel-emrys commented 4 years ago

Currently, permissions for the redis socket are 777; access for everyone. This presents a security vulnerability that allows any user to read cached data. I've modified the permissions to 770. To facilitate this I moved the socket to /var/run/redis, which is a directory with ownership redis:redis. This solves the problem of having it in /tmp, where the ownership of the socket is redis:wheel. The change in directory permissions allows other users to be added to the redis group without unnecessarily providing a user with the permissions of wheel.

Namely, it allows the www user to be added to the redis group, which allows the removal of any permissions to "other" users.

If you have any feedback let me know :)

samuel-emrys commented 4 years ago

@danb35 what are your thoughts?