Insecure permissions for dump.rdb

[tmakinen]

Using --save option when starting redis will create database dump files in 0644 permissions. This makes it possible for all users in host to read database contents.

Suggestion is to run umask 077 in entrypoint before starting redis with su-exec.

[tianon]

Huh, this is a good point -- I think containers make this a bit less obviously a huge problem since in most of the ways you'd deploy this image in a container, the file is protected more strongly by the boundaries of mount namespaces than unix permissions (and it's not terribly common to share data volumes between containers unnecessarily), but still something we should maybe consider.

Do you know if there's any "official" recommendation from the Redis community about what the umask should be set to? Perhaps an official redis.service file for systemd that sets a default we could point to as "look, this is where this recommendation came from" ?

[tianon]

https://github.com/redis/redis/blob/bb875603fb7ff3f9d19aad906bd45d7db98d9a39/utils/systemd-redis_server.service#L37 looks pretty promising/authoritative! :smile:

I'm thinking we should perhaps only reset it if it's set to the default of 0022 so we don't accidentally overwrite the value for someone who is already working around this by setting their own value?