-
Notifications
You must be signed in to change notification settings - Fork 12.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Database: Set 0640 permissions on SQLite database file #26339
Conversation
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have tested both with existing and not existing sqlite database file and with mysql database and it works as expected.
Thanks @papagian - do you have any opinion on whether we should change the permissions of existing SQLite files or not? Maybe just log a warning to the administrator? I'm just worried in case there are valid scenarios where the permissions (or owner?) should be changed by the operator. |
I didn't think about it. I'm not sure. Maybe the admin could overwrite the permissions by the configuration. |
I think you should. Not only is it the user table but also the data_source table. In theory plugins will store passwords encrypted in secureJsonData but they don't all. Just an an example, the Zabbix datasource does store in secureJsonData now, but it didn't always, and if you upgrade the datasource it doesn't clear out the plaintext 'password' column that was there previously (even though it doesn't use it any more). What that means is if somebody didn't set up a zabbix service account with the right permissions, you can steal this password from grafana.db and do bad things to zabbix. We don't want somebody to be able to point to some exploit and have the reason be that grafana allowed the password to escape. |
One may want to give a group of users access to the sqlite db. So forcing group permissions to 0 could be problematic. |
The Ubuntu package (maybe all debian) yields this: -rw-r--r-- 1 grafana grafana 260056 July 15 13:29 /var/lib/grafana/grafana.db so it creates a 'grafana' user and a 'grafana' group. So I'd be fine with the permissions being 640 (u+rw,g+r if I did that right). Normally there's nobody in the 'grafana' group other than the 'grafana' user. So, this way, if somebody did have some weird reason to add a second user to the 'grafana' group (like say for backing it up) that would still work. Regarding changing an existing file's permissions if it exists: I think this is a good idea, but it's not something I would do on the go side. I would have grafana set 0640 if it creates the file; but as for changing a file that already exists, in thinking about this, it's really something I would put into the postinst script. If you want to be nice you'd even make it prompt the user whether or not they wanted you to do it. |
I don't know enough about the various files the Grafana process can create, or the packaging ... but my fuzzy old knowledge says that maybe we should be setting the umask for the process so all things created are only accessible by grafana user/group - but I don't know if that might cause problems - and don't think it should be a blocker getting more secure specific DB perms in place. |
Think logging a warning if permissions are to "broad" on sqlite file should be enough. Then handle the migration thru documentation because older Grafana instances can apply that change manually without upgrading, which is good from a security perspective. |
I'll change the permissions to 0640 give the group read access. That sound alright to you @papagian @kylebrandt @marefr? @papagian @kylebrandt Do you agree with @marefr about just logging a warning if the file exists with broader permissions? |
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
Being created with the
yes, I think that is much better. |
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
I made a change to only log a warning if the SQLite file permissions are broader than expected (0640). |
@marefr @kylebrandt @papagian Please have another look. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Two possible code considerations for checking an error and moving this to its own function, but leave those to your judgement.
I agree with the logging choice.
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
I've tested it again and works as expected in my development environment. |
* master: (195 commits) update latest to 7.1.1 (grafana#26588) changelog 7.1.1 (grafana#26586) Drone: Reduce parallelism of certain steps to conserve memory (grafana#26582) CloudWatch: Fix a few API status codes (grafana#26578) Drone: Identify Drone runner for each pipeline (grafana#26573) DashboardImport: Fix variable interpolation when property contains multiple variable expressions (grafana#26574) Update TextArea.mdx (grafana#26225) CloudWatch: Fix passing of namespace for getting custom metrics (grafana#26515) Alerting: Change settings column type to mediumtext (grafana#26549) Dashboard: Restore panel edit permission check, fixes 26555' (grafana#26556) Docs: Add variable examples (grafana#26565) Graph: support setting field units (grafana#26529) cloudwatch: Consolidate client logic (grafana#25555) Docs: Add dependencies for debian buster to image rendering plugin (grafana#26452) Fix self cloosing bracket to display input (grafana#26552) SQLite: Set 0640 permissions on SQLite database file (grafana#26339) Docs: Remove TODO from the CloudWatch docs (grafana#26543) Cloudwatch: Add af-south-1 region (grafana#26513) LDAP: fix LDAP test with special chars in username (grafana#26539) HTTPServer: add possibility to use additional middlewares (grafana#26514) ...
What this PR does / why we need it:
#8283 points out that the we should restrict access to the SQLite database file, so only the owner can use it. This PR ensures the file has permissions 0640 (read/write for owner, read for group) when it gets created. If the file already exists and has broader permissions, a warning will be logged.
@wz2b @austinbutler does this look right to you?
Which issue(s) this PR fixes:
Fixes #8283.
Special notes for your reviewer: