Giter Club home page Giter Club logo

Comments (6)

tkeffer avatar tkeffer commented on July 29, 2024

Good point. We'll take a look at it.

from weewx.

matthewwall avatar matthewwall commented on July 29, 2024

which files should have 660 permissions?

each time the config file is modified by weectl, weectl makes a copy. weectl does not ensure 660 permissions.

during and upgrade, there may be many copies of the config file. all of those should have the same permissions as the 'active' config file.

if it is weewx-multi configuration, there will be multiple 'active' config files.

so i'm not sure what the right approach is here.

option 1: only modify permissions and ownership when upgrading from a v4 to v5

option 2: always set permissions and ownership

option 3: always set permissions and ownership, but set permissions on every /etc/weewx/*.conf to 660

from weewx.

ps-crawford avatar ps-crawford commented on July 29, 2024

The only file that bothered me from a security perspective is the /etc/weewx/weewx.conf file as it has login details for 3rd party sites that might be sensitive information. You are right to point out that often has version copies/diffs placed in the same directory with differing names (sometimes appended to the '.conf' side) so all potentially have such information.

In terms of options then your 'option 3' seems the simplest and safest. My initial thought was based on looking at the pkg/debian/postinst file and changing it so following the (current) line 427 it removes other read/write permission, so something like this:

set_config_permissions() {
    echo "Setting permissions $WEEWX_USER:$WEEWX_GROUP on /etc/weewx"
    set_permissions $WEEWX_USER $WEEWX_GROUP /etc/weewx
    chmod o-rw /etc/weewx/*.conf*
}

This might not be perfect as there remains a window of opportunity from setting all files globally readable to removing that on the conf file(s) but given:

  • Very short time they would be accessible
  • Infrequent nature of such upgrade changes
  • Few cases where a WeeWX machine has multiple users of low trust

It would seem quite acceptable to me.

from weewx.

matthewwall avatar matthewwall commented on July 29, 2024

chmod o-rw /etc/weewx/.conf

this is what i was thinking.

from weewx.

ps-crawford avatar ps-crawford commented on July 29, 2024

I don't understand much about the package manager process, but that seemed like the sort of change that ought to work.

from weewx.

matthewwall avatar matthewwall commented on July 29, 2024

this will appear in weewx 5.1.0

from weewx.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.