Task #44314
slightly file permissions for .../Configuration/* and .../Data/Persistent/EncryptionKey
Status: | Accepted | Start date: | 2013-01-04 | |
---|---|---|---|---|
Priority: | Must have | Due date: | ||
Assigned To: | Karsten Dambekalns | % Done: | 0% |
|
Category: | Security | |||
Target version: | - | |||
Sprint: | Has patch: | No | ||
PHP Version: | Complexity: |
Description
File permissions for all files in
Configuration folder
and
Data/Persistent/EncryptionKey
have 644 permissions
they should be 600, because Apache and NGINX are for most Webserver configurations in the same group as webspace user. Also one stranger(f. e. by webhosting Server) can read all this files if this one can create symlinks to this files in own webspace.
Evidence:
- User A:
- document root: /var/www/client1/userA
- User B:
- document root: /var/www/client2/userB
user B makes symlinks to all Configuration/*.yaml and to .../Data/Persistent/EncryptionKey files in its webspace and then call http://users-b-domain.dev/uri-to-symlink-that-points-to-users-A-file to read all this configuration files.
History
#1 Updated by Karsten Dambekalns over 2 years ago
- Status changed from New to Accepted
- Assigned To set to Karsten Dambekalns
- Priority changed from -- undefined -- to Must have