We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Continuing with permissions audit (see #321), the postgresql backup that's created by /root/tarsnap.sh in /decrypted is world-readable.
/root/tarsnap.sh
/decrypted
This should be fixed by having a umask 077 call within the cron script prior to this line:
umask 077
https://github.com/al3x/sovereign/blob/5f6160f914c647ddb6a3d8e47d1b5a46fbf6b22c/roles/tarsnap/files/tarsnap.sh#L61
Needless to say, without this, it is dangerous as it will expose every single password and user in the database to all users on the system.
The text was updated successfully, but these errors were encountered:
c55437d
Restrict permissions on Postgres backups files. Resolves sovereign#322.
ca5c3a0
No branches or pull requests
Continuing with permissions audit (see #321), the postgresql backup that's created by
/root/tarsnap.shin/decryptedis world-readable.This should be fixed by having a
umask 077call within the cron script prior to this line:https://github.com/al3x/sovereign/blob/5f6160f914c647ddb6a3d8e47d1b5a46fbf6b22c/roles/tarsnap/files/tarsnap.sh#L61
Needless to say, without this, it is dangerous as it will expose every single password and user in the database to all users on the system.
The text was updated successfully, but these errors were encountered: