search

saadjsct / matrixcli

Command line matrix client
GNU General Public License v3.0
135 stars 14 forks source link

/etc/matrixcli/config.py shouldn't be world-readable #9

Open martinvonwittich opened 4 years ago

martinvonwittich commented 4 years ago 
host ~ # find /etc/matrixcli -ls
 49284276      4 drwxr-xr-x   2 root     root         4096 Sep 30 15:20 /etc/matrixcli
 49284482      4 -rw-r--r--   1 root     root          927 Sep 30 15:20 /etc/matrixcli/config.py

Either /etc/matrixcli/config.py should default to 600, or /etc/matrixcli should default to 700. Currently, it's very likely that a user might put a password into config.py, which is then world-readable for all users on the system.

Note that Python will create a subfolder __pycache__ with a cached version of config.py in it; the cached version will copy the permissions of config.py. So if you want to secure your installation, you need to change the permissions on both:

chmod 600 /etc/matrixcli/config.py
chmod 600 /etc/matrixcli/__pycache__/config.*.pyc