Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Data directory needs more secure permissions #1

Open
fongd opened this issue Nov 9, 2016 · 2 comments
Open

Data directory needs more secure permissions #1

fongd opened this issue Nov 9, 2016 · 2 comments

Comments

@fongd
Copy link

fongd commented Nov 9, 2016

When installing istatserver, the permissions on /usr/local/etc/istatserver are 0755. Since /usr/local/etc/istatserver/istatserver.conf is also 0755, this means anyone with shell access to the server can read the conf file and pair iStat 3 to that server. This does not seem desirable.

Since the istatserver directory is already owned by istat:istat, it would be best to make sure the installer changes the permissions on /usr/local/etc/istatserver to 0750.
@marcedwards
Copy link
Contributor

Thanks! Great suggestion.

@fongd
Copy link
Author

fongd commented Dec 9, 2016

In fact, shell access isn't even necessary. Since the daemon installs in a standard location, one could upload a script to a web server which is running istatserver and retrieve the pairing PIN by reading or even outputting the contents of the config file, if the web server isn't configured to jail web access to specific directories (which is often the case).

@mzch mzch mentioned this issue Jan 27, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fongd @marcedwards