search

getsolus / packages

Solus Package Monorepo & Issue Tracker
51 stars 68 forks source link

fresh ufw install - WARN /etc/ufw/rules... are world readable (T6243) #110

Open celticmagic opened 10 months ago

celticmagic commented 10 months ago
Eric S. (#eric-salo), 2018-04-20 10:45:12 UTC

`ufw` only complains about it when it resets, which barely anyone does. ``` thinkpad in ~ ○ → ls -l /etc/ufw total 48 -rw-r--r-- 1 root root 915 Feb 1 2017 after6.rules -rw-r--r-- 1 root root 1126 Feb 1 2017 after.init -rw-r--r-- 1 root root 1004 Feb 1 2017 after.rules drwxr-xr-x 2 root root 4096 Apr 20 06:17 applications.d -rw-r--r-- 1 root root 6449 Feb 1 2017 before6.rules -rw-r--r-- 1 root root 1130 Feb 1 2017 before.init -rw-r--r-- 1 root root 2667 Feb 1 2017 before.rules -rw-r--r-- 1 root root 1941 Feb 1 2017 sysctl.conf -rw-r--r-- 1 root root 312 Feb 1 2017 ufw.conf -rw-r--r-- 1 root root 107 Feb 1 2017 user6.rules -rw-r--r-- 1 root root 307 Feb 1 2017 user.rules thinkpad in ~ ○ → sudo ufw reset Resetting all rules to installed defaults. Proceed with operation (y|n)? y Backing up 'user.rules' to '/etc/ufw/user.rules.20180420_061904' Backing up 'after6.rules' to '/etc/ufw/after6.rules.20180420_061904' Backing up 'user6.rules' to '/etc/ufw/user6.rules.20180420_061904' Backing up 'before6.rules' to '/etc/ufw/before6.rules.20180420_061904' Backing up 'after.rules' to '/etc/ufw/after.rules.20180420_061904' Backing up 'before.rules' to '/etc/ufw/before.rules.20180420_061904' WARN: '/etc/ufw/user.rules' is world readableWARN: '/etc/ufw/after6.rules' is world readableWARN: '/etc/ufw/user6.rules' is world readableWARN: '/etc/ufw/before6.rules' is world readableWARN: '/etc/ufw/after.rules' is world readableWARN: '/etc/ufw/before.rules' is world readable ```
celticmagic commented 10 months ago
Pierre-Yves (#kyrios123), 2018-04-20 12:55:38 UTC

Well obviously the rules have been made readable [intentionally](https://dev.solus-project.com/source/ufw/browse/master/package.yml$18). If the firewall it well configured, it should block the traffic, having the rules readable by anyone should be harmless. "Security by obscurity" is not security imo.
celticmagic commented 10 months ago
Eric S. (#eric-salo), 2018-04-20 15:29:14 UTC

Security by obscurity is terrible on its own, but setting strong permissions is netsec 101. I don't see why that change would be made, especially when it makes ufw complain.
celticmagic commented 10 months ago
Beatrice T. Meyers (#DataDrake), 2018-07-22 15:00:08 UTC

We can set the permissions as needed for those files.
celticmagic commented 10 months ago
Pierre-Yves (#kyrios123), 2018-08-03 19:13:10 UTC

>>! In T6243#122829, #DataDrake wrote: > We can set the permissions as needed for those files. Actually by default the package sets the permissions to 640 on the rules, I checked a few distro like Arch and Fedora and they change it back to 644 and I guess there is a reason for this : [see here](https://dev.solus-project.com/R3074:4c6949316349befbfbc7ef0e886a1455d2a63118) It's just a warning, not an error.
celticmagic commented 10 months ago
Beatrice T. Meyers (#DataDrake), 2022-03-13 00:04:38 UTC

I'm still not sure which way is the correct way to integrate those files, tbh.