istatserverlinux icon indicating copy to clipboard operation
istatserverlinux copied to clipboard
verified publisher icon bjango

Data directory needs more secure permissions

Open fongd opened this issue 9 years ago • 2 comments

When installing istatserver, the permissions on /usr/local/etc/istatserver are 0755. Since /usr/local/etc/istatserver/istatserver.conf is also 0755, this means anyone with shell access to the server can read the conf file and pair iStat 3 to that server. This does not seem desirable.

Since the istatserver directory is already owned by istat:istat, it would be best to make sure the installer changes the permissions on /usr/local/etc/istatserver to 0750.

fongd avatar Nov 09 '16 15:11 fongd

Thanks! Great suggestion.

marcedwards avatar Dec 08 '16 05:12 marcedwards

In fact, shell access isn't even necessary. Since the daemon installs in a standard location, one could upload a script to a web server which is running istatserver and retrieve the pairing PIN by reading or even outputting the contents of the config file, if the web server isn't configured to jail web access to specific directories (which is often the case).

fongd avatar Dec 09 '16 18:12 fongd