Task #44314

slightly file permissions for .../Configuration/* and .../Data/Persistent/EncryptionKey

Added by Rafael Kähm about 7 years ago. Updated about 6 years ago.

Status:
Accepted
Priority:
Must have
Category:
Security
Target version:
-
Start date:
2013-01-04
Due date:
% Done:

0%

Sprint:
PHP Version:
Has patch:
No
Complexity:

Description

File permissions for all files in
Configuration folder
and
Data/Persistent/EncryptionKey
have 644 permissions

they should be 600, because Apache and NGINX are for most Webserver configurations in the same group as webspace user. Also one stranger(f. e. by webhosting Server) can read all this files if this one can create symlinks to this files in own webspace.

Evidence:

  • User A:
    • document root: /var/www/client1/userA
  • User B:
    • document root: /var/www/client2/userB

user B makes symlinks to all Configuration/*.yaml and to .../Data/Persistent/EncryptionKey files in its webspace and then call http://users-b-domain.dev/uri-to-symlink-that-points-to-users-A-file to read all this configuration files.

History

#1 Updated by Karsten Dambekalns about 7 years ago

  • Status changed from New to Accepted
  • Assignee set to Karsten Dambekalns
  • Priority changed from -- undefined -- to Must have

Also available in: Atom PDF