search

homebridge / homebridge-config-ui-x

The Homebridge UI. Monitor, configure and backup Homebridge from a browser.
https://homebridge.io
MIT License
2.61k stars 370 forks source link

Files with secrets should not be world-readable #1957

Closed jkreileder closed 7 months ago

jkreileder commented 9 months ago

Raspberry Pi Model

Other (specify in description)

Describe The Bug

Although most homebridge installations are probably on single-user machines, files containing credentials or other secrets still should not be world-readable:

$ dpkg -s homebridge | grep Version
Version: 1.1.4
$ ls -al /var/lib/homebridge 
total 648
drwxr-xr-x  8 homebridge homebridge   4096 Dec  4 15:39 ./
drwxr-xr-x 44 root       root         4096 Nov 21 19:08 ../
drwxr-xr-x  2 homebridge homebridge   4096 Nov 19 14:37 accessories/
-rw-r--r--  1 homebridge homebridge      1 Dec  4 12:39 adguardhome_timer.config
drwxr-xr-x  4 homebridge homebridge   4096 Nov 19 14:38 appletv-enhanced/
-rw-r--r--  1 homebridge homebridge   2347 Nov 19 14:05 appletv_playstate.sh
-rw-r--r--  1 homebridge homebridge   2304 Nov 19 14:05 appletv_powerstate.sh
-rw-r--r--  1 homebridge homebridge    359 Nov 19 14:05 auth.json
drwxr-xr-x  4 homebridge homebridge   4096 Nov 19 01:11 backups/
-rw-r--r--  1 homebridge homebridge   5536 Dec  4 12:38 config.json
drwxr-xr-x  2 homebridge homebridge   4096 Nov 19 14:06 fritzbox/
-rw-r--r--  1 homebridge homebridge 450018 Dec  4 16:01 homebridge.log
drwxr-xr-x 11 homebridge homebridge   4096 Dec  4 12:37 node_modules/
-rw-r--r--  1 homebridge homebridge    136 Nov 27 16:02 .npmrc
-rw-r--r--  1 homebridge homebridge    300 Dec  4 12:37 package.json
drwxr-xr-x  2 homebridge homebridge   4096 Dec  4 12:39 persist/
-rw-r--r--  1 homebridge homebridge 132983 Dec  4 15:59 pi5_Regensburg_persist.json
-rw-r--r--  1 homebridge homebridge   1009 Nov 27 21:25 .uix-dashboard.json
-rw-r--r--  1 homebridge homebridge     94 Nov 19 14:05 .uix-hb-service-homebridge-startup.json
-rw-r--r--  1 homebridge homebridge     81 Nov 19 14:05 .uix-secrets

Given that plugins might store credentials in additional files it's probably best to make sure no file is world-readable.

Logs

No response

github-actions[bot] commented 7 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] commented 7 months ago

This issue has been closed as no further activity has occurred.