fresh ufw install - WARN /etc/ufw/rules... are world readable (T6243)

[celticmagic]

Eric S. (#eric-salo), 2018-04-20 10:45:12 UTC

`ufw` only complains about it when it resets, which barely anyone does. ``` thinkpad in ~ ○ → ls -l /etc/ufw total 48 -rw-r--r-- 1 root root 915 Feb 1 2017 after6.rules -rw-r--r-- 1 root root 1126 Feb 1 2017 after.init -rw-r--r-- 1 root root 1004 Feb 1 2017 after.rules drwxr-xr-x 2 root root 4096 Apr 20 06:17 applications.d -rw-r--r-- 1 root root 6449 Feb 1 2017 before6.rules -rw-r--r-- 1 root root 1130 Feb 1 2017 before.init -rw-r--r-- 1 root root 2667 Feb 1 2017 before.rules -rw-r--r-- 1 root root 1941 Feb 1 2017 sysctl.conf -rw-r--r-- 1 root root 312 Feb 1 2017 ufw.conf -rw-r--r-- 1 root root 107 Feb 1 2017 user6.rules -rw-r--r-- 1 root root 307 Feb 1 2017 user.rules thinkpad in ~ ○ → sudo ufw reset Resetting all rules to installed defaults. Proceed with operation (y|n)? y Backing up 'user.rules' to '/etc/ufw/user.rules.20180420_061904' Backing up 'after6.rules' to '/etc/ufw/after6.rules.20180420_061904' Backing up 'user6.rules' to '/etc/ufw/user6.rules.20180420_061904' Backing up 'before6.rules' to '/etc/ufw/before6.rules.20180420_061904' Backing up 'after.rules' to '/etc/ufw/after.rules.20180420_061904' Backing up 'before.rules' to '/etc/ufw/before.rules.20180420_061904' WARN: '/etc/ufw/user.rules' is world readableWARN: '/etc/ufw/after6.rules' is world readableWARN: '/etc/ufw/user6.rules' is world readableWARN: '/etc/ufw/before6.rules' is world readableWARN: '/etc/ufw/after.rules' is world readableWARN: '/etc/ufw/before.rules' is world readable ```

[celticmagic]

Pierre-Yves (#kyrios123), 2018-04-20 12:55:38 UTC

Well obviously the rules have been made readable [intentionally](https://dev.solus-project.com/source/ufw/browse/master/package.yml$18). If the firewall it well configured, it should block the traffic, having the rules readable by anyone should be harmless. "Security by obscurity" is not security imo.

[celticmagic]

Eric S. (#eric-salo), 2018-04-20 15:29:14 UTC

Security by obscurity is terrible on its own, but setting strong permissions is netsec 101. I don't see why that change would be made, especially when it makes ufw complain.

[celticmagic]

Beatrice T. Meyers (#DataDrake), 2018-07-22 15:00:08 UTC

We can set the permissions as needed for those files.

[celticmagic]

Pierre-Yves (#kyrios123), 2018-08-03 19:13:10 UTC

>>! In T6243#122829, #DataDrake wrote: > We can set the permissions as needed for those files. Actually by default the package sets the permissions to 640 on the rules, I checked a few distro like Arch and Fedora and they change it back to 644 and I guess there is a reason for this : [see here](https://dev.solus-project.com/R3074:4c6949316349befbfbc7ef0e886a1455d2a63118) It's just a warning, not an error.

[celticmagic]

Beatrice T. Meyers (#DataDrake), 2022-03-13 00:04:38 UTC

I'm still not sure which way is the correct way to integrate those files, tbh.

[TraceyC77]

Since we have moved to stateless packaging, files are no longer installed to /etc usually. This package still installs /etc/ufw - it needs to be updated Also, unless we have a solid reason to change the directory permissions from upstream, we should keep them as upstream provides

I checked a fresh install of ufw to check the current config directory permissions The original problem still persists.

❯ sudo ufw reset
Resetting all rules to installed defaults. Proceed with operation (y|n)? y
Backing up 'user.rules' to '/etc/ufw/user.rules.20241103_162144'
Backing up 'before.rules' to '/etc/ufw/before.rules.20241103_162144'
Backing up 'after.rules' to '/etc/ufw/after.rules.20241103_162144'
Backing up 'user6.rules' to '/etc/ufw/user6.rules.20241103_162144'
Backing up 'before6.rules' to '/etc/ufw/before6.rules.20241103_162144'
Backing up 'after6.rules' to '/etc/ufw/after6.rules.20241103_162144'
WARN: '/etc/ufw/user.rules' is world readableWARN: '/etc/ufw/before.rules' is world readableWARN: '/etc/ufw/after.rules' is world readableWARN: '/etc/ufw/user6.rules' is world readableWARN: '/etc/ufw/before6.rules' is world readableWARN: '/etc/ufw/after6.rules' is world readable