Closed pexus closed 5 years ago
the file /etc/mxisd/mxisd.yaml should be owned by mxisd user and the group and other read permission should be removed since it contains the passwd. Otherwise any user on the system can get the password.
Good catch, we'll try to do it as we finalize the v1.4 release. Thanks for pointing it out!
Due to possible breakage with previous versions, we have instead chose to write a security hardening guide so people can do it themselves if they so wish. See the referenced commit above.
Since mxisd.yaml could contain passwords for SMTP access, the permission for this file should be rw for owner (root) only. This should be documented and the mxisd.example.yaml file should also be installed with this permission.