search

status-im / nimbus-eth2

Nim implementation of the Ethereum Beacon Chain
https://nimbus.guide
Other
543 stars 233 forks source link

[SEC] CLI - Do not create world readable secret files #1702

Closed shayanb closed 3 years ago

shayanb commented 4 years ago

Description

Most of the secret files (wallet, keystore, etc) are stored in world readable files even though it is in a subfolder and the contents are encrypted.

Exploit Scenario

Any application with access to the computer storage can copy the secret files

Mitigation Recommendation

Only readable by user or/and review the permissions required for each file.

cheatfate commented 4 years ago

This was fixed in https://github.com/status-im/nimbus-eth2/pull/1533 for *nix platforms and https://github.com/status-im/nimbus-eth2/pull/1863 for Windows.

tintinweb commented 3 years ago

LGTM

reviewed as part of https://github.com/status-im/nimbus-eth2/issues/1319#issuecomment-765326999

⇒  ls -lsat datadir/wallets/tinyodel.json           
8 -rw-------  1 tintin  staff  862 Jan 22 12:00 datadir/wallets/tinyodel.json