Comments (6)
Good point. We'll take a look at it.
from weewx.
which files should have 660 permissions?
each time the config file is modified by weectl, weectl makes a copy. weectl does not ensure 660 permissions.
during and upgrade, there may be many copies of the config file. all of those should have the same permissions as the 'active' config file.
if it is weewx-multi configuration, there will be multiple 'active' config files.
so i'm not sure what the right approach is here.
option 1: only modify permissions and ownership when upgrading from a v4 to v5
option 2: always set permissions and ownership
option 3: always set permissions and ownership, but set permissions on every /etc/weewx/*.conf
to 660
from weewx.
The only file that bothered me from a security perspective is the /etc/weewx/weewx.conf file as it has login details for 3rd party sites that might be sensitive information. You are right to point out that often has version copies/diffs placed in the same directory with differing names (sometimes appended to the '.conf' side) so all potentially have such information.
In terms of options then your 'option 3' seems the simplest and safest. My initial thought was based on looking at the pkg/debian/postinst
file and changing it so following the (current) line 427 it removes other read/write permission, so something like this:
set_config_permissions() {
echo "Setting permissions $WEEWX_USER:$WEEWX_GROUP on /etc/weewx"
set_permissions $WEEWX_USER $WEEWX_GROUP /etc/weewx
chmod o-rw /etc/weewx/*.conf*
}
This might not be perfect as there remains a window of opportunity from setting all files globally readable to removing that on the conf file(s) but given:
- Very short time they would be accessible
- Infrequent nature of such upgrade changes
- Few cases where a WeeWX machine has multiple users of low trust
It would seem quite acceptable to me.
from weewx.
chmod o-rw /etc/weewx/.conf
this is what i was thinking.
from weewx.
I don't understand much about the package manager process, but that seemed like the sort of change that ought to work.
from weewx.
this will appear in weewx 5.1.0
from weewx.
Related Issues (20)
- Running WeeWX as executable (for apparmor use) HOT 7
- WMR300 permission error HOT 3
- "Total Rain" is shown now for 1 hour on the next day since daylight saving HOT 14
- Add RSync options capability - exclude files/directories HOT 1
- Bug in Debian postinst prevent installing 5.0.2 debs HOT 2
- issues with wee_extensions install HOT 1
- View from Reports / NOAA (Belchertown Skin) HOT 4
- Problems with "Zambretti" forecast HOT 2
- *BSD rc script HOT 3
- Document formats in [[DeltaTimeFormats]]
- [Question] How to regenerate reports for months and years HOT 6
- v4 setup to v5 pip instructions are missing a step HOT 1
- On the first weewx generation cycle the extreme temperatures are not updated HOT 3
- shim deprecated wee_ commands for a while HOT 5
- Error when starting weewxd HOT 7
- weewx import brought incorrect data for rain HOT 14
- additional values HOT 1
- ERROR weewx.engine: Unable to shut down StdReport thread HOT 3
- Permission error BYOWS HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from weewx.