Fix user file permissions on create (#4507)

User files contain secrets and should be protected.
Chances are that the user folder can be protected as well,
so let's do that if TL is creating the folder.
This commit is contained in:
Reto 2022-04-12 02:47:22 +02:00 committed by GitHub
parent 815319810c
commit d7bba325a7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 10 additions and 4 deletions

View file

@ -173,7 +173,9 @@ ClientManager.prototype.addUser = function (name, password, enableLog) {
}; };
try { try {
fs.writeFileSync(userPath, JSON.stringify(user, null, "\t")); fs.writeFileSync(userPath, JSON.stringify(user, null, "\t"), {
mode: 0o600,
});
} catch (e) { } catch (e) {
log.error(`Failed to create user ${colors.green(name)} (${e})`); log.error(`Failed to create user ${colors.green(name)} (${e})`);
throw e; throw e;
@ -235,7 +237,9 @@ ClientManager.prototype.saveUser = function (client, callback) {
try { try {
// Write to a temp file first, in case the write fails // Write to a temp file first, in case the write fails
// we do not lose the original file (for example when disk is full) // we do not lose the original file (for example when disk is full)
fs.writeFileSync(pathTemp, newUser); fs.writeFileSync(pathTemp, newUser, {
mode: 0o600,
});
fs.renameSync(pathTemp, pathReal); fs.renameSync(pathTemp, pathReal);
return callback ? callback() : true; return callback ? callback() : true;

View file

@ -31,5 +31,5 @@ function initalizeConfig() {
log.info(`Configuration file created at ${colors.green(Helper.getConfigPath())}.`); log.info(`Configuration file created at ${colors.green(Helper.getConfigPath())}.`);
} }
fs.mkdirSync(Helper.getUsersPath(), {recursive: true}); fs.mkdirSync(Helper.getUsersPath(), {recursive: true, mode: 0o700});
} }

View file

@ -63,7 +63,9 @@ function change(name, password) {
// Write to a temp file first, in case the write fails // Write to a temp file first, in case the write fails
// we do not lose the original file (for example when disk is full) // we do not lose the original file (for example when disk is full)
fs.writeFileSync(pathTemp, newUser); fs.writeFileSync(pathTemp, newUser, {
mode: 0o600,
});
fs.renameSync(pathTemp, pathReal); fs.renameSync(pathTemp, pathReal);
log.info(`Successfully reset password for ${colors.bold(name)}.`); log.info(`Successfully reset password for ${colors.bold(name)}.`);