database: set stricter file mode creation #58

Closed
opened 2020-05-27 12:11:22 +02:00 by mrngm · 1 comment
Collaborator

Currently, internal/db.OpenDB() executes:

db, err := bolt.Open(path, 0666, &bolt.Options{Timeout: 1 * time.Second})

where 0666 indicates an os.FileMode. This translates to the permissions rw-rw-rw-, used in Bolt for the creation file mode (see here). However, umask may influence this behaviour:

$ umask
0022
$ ls
files  main.go  rushlink
$ git log | head -n 1
commit 5a5a0dc5ece2ec6a0830fae23e9df84eca64dfe0
$ ./rushlink -file-store files/ -database flupsel.db
2020/05/27 12:09:13 migrating database to version 1
2020/05/27 12:09:13 migrating database to version 2
2020/05/27 12:09:13 migrating database to version 3
^C
$ ls -hl flupsel.db
-rw-r--r-- 1 mrngm mrngm 32K May 27 12:09 flupsel.db
$ rm flupsel.db
$ umask 0000
$ umask
0000
$ ls
files  main.go  rushlink
$ ./rushlink -file-store files/ -database flupsel.db
2020/05/27 12:10:40 migrating database to version 1
2020/05/27 12:10:40 migrating database to version 2
2020/05/27 12:10:40 migrating database to version 3
^C
$ ls -hl flupsel.db 
-rw-rw-rw- 1 mrngm mrngm 32K May 27 12:10 flupsel.db

It would be better to only grant rw permission for user/group, and none for other, by default.

Currently, `internal/db.OpenDB()` executes: ```go db, err := bolt.Open(path, 0666, &bolt.Options{Timeout: 1 * time.Second}) ``` where `0666` indicates an `os.FileMode`. This translates to the permissions `rw-rw-rw-`, used in Bolt for the creation file mode (see [here](https://github.com/etcd-io/bbolt/blob/v1.3.4/db.go#L210-L213)). However, `umask` may influence this behaviour: ```bash $ umask 0022 $ ls files main.go rushlink $ git log | head -n 1 commit 5a5a0dc5ece2ec6a0830fae23e9df84eca64dfe0 $ ./rushlink -file-store files/ -database flupsel.db 2020/05/27 12:09:13 migrating database to version 1 2020/05/27 12:09:13 migrating database to version 2 2020/05/27 12:09:13 migrating database to version 3 ^C $ ls -hl flupsel.db -rw-r--r-- 1 mrngm mrngm 32K May 27 12:09 flupsel.db $ rm flupsel.db $ umask 0000 $ umask 0000 $ ls files main.go rushlink $ ./rushlink -file-store files/ -database flupsel.db 2020/05/27 12:10:40 migrating database to version 1 2020/05/27 12:10:40 migrating database to version 2 2020/05/27 12:10:40 migrating database to version 3 ^C $ ls -hl flupsel.db -rw-rw-rw- 1 mrngm mrngm 32K May 27 12:10 flupsel.db ``` It would be better to only grant `rw` permission for user/group, and none for other, by default.
Owner

Agreed.

Agreed.
electricdusk added the
bug
label 2020-05-27 22:31:14 +02:00
mrngm closed this issue 2020-06-28 12:16:01 +02:00
Sign in to join this conversation.
No Milestone
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: electricdusk/rushlink#58
No description provided.