permission for /etc/mxisd/mxisd.yaml file should be restricted to root

kamax-matrix / mxisd

Federated Matrix Identity Server

GNU Affero General Public License v3.0

220 stars 112 forks source link

permission for /etc/mxisd/mxisd.yaml file should be restricted to root #140

Closed pexus closed 5 years ago

pexus commented 5 years ago

Since mxisd.yaml could contain passwords for SMTP access, the permission for this file should be rw for owner (root) only. This should be documented and the mxisd.example.yaml file should also be installed with this permission.

pexus commented 5 years ago

the file /etc/mxisd/mxisd.yaml should be owned by mxisd user and the group and other read permission should be removed since it contains the passwd. Otherwise any user on the system can get the password.

maxidorius commented 5 years ago

Good catch, we'll try to do it as we finalize the v1.4 release. Thanks for pointing it out!

maxidorius commented 5 years ago

Due to possible breakage with previous versions, we have instead chose to write a security hardening guide so people can do it themselves if they so wish. See the referenced commit above.