FS#55071 - [grafana] Insecure permissons on /var/lib/grafana
Attached to Project:
Community Packages
Opened by Florian Pritz (bluewind) - Tuesday, 08 August 2017, 09:28 GMT
Last edited by Sébastien Luttringer (seblu) - Wednesday, 06 September 2017, 00:48 GMT
Opened by Florian Pritz (bluewind) - Tuesday, 08 August 2017, 09:28 GMT
Last edited by Sébastien Luttringer (seblu) - Wednesday, 06 September 2017, 00:48 GMT
|
Details
Description:
/var/lib/grafana/grafana.db is world readable by default and the parent directory is also accessible (755 in /usr/lib/tmpfiles.d/grafana.conf). The parent directory should only be readable by the grafana user itself (700). The grafana db may contain login credentials for data sources. Additional info: * package version(s) grafana 4.3.2-1 * config and/or log files etc. Use the sqlite db (default) |
This task depends upon
Closed by Sébastien Luttringer (seblu)
Wednesday, 06 September 2017, 00:48 GMT
Reason for closing: Fixed
Additional comments about closing: grafana 4.4.3-1
Wednesday, 06 September 2017, 00:48 GMT
Reason for closing: Fixed
Additional comments about closing: grafana 4.4.3-1
Edit: Should be 600 instead of 700
About grafana.ini, switching it to 600 make the server unable to read its config.
So we need to move from dynamic user and group allocation to a static one to be able to set a file group in the package in order to let the server read the config.
My grafana config is without any password or secret like the default. Don't see the point to set it to 600 in my case.
As soon as someone put a secret in a config file in /etc, we may consider that it is his job to secure it.
On the other hand, there is plenty of potential secrets (db, smtp, github, etc), in this file and make it secure by default is maybe the wise direction.
I had the exact same decision to make for kibana and i'm convinced it has far more value to be default secure for the cost of having a install file that creates a user compared to simple have 'fancy' dynamic user creation.