diff options
| author | Haelwenn (lanodan) Monnier <contact@hacktivis.me> | 2023-06-22 00:46:52 +0200 |
|---|---|---|
| committer | Haelwenn (lanodan) Monnier <contact@hacktivis.me> | 2023-08-04 09:50:28 +0200 |
| commit | 8cc8100120abdbf26cfe4cdac2c0a012d7919e05 (patch) | |
| tree | 6264fd0a147398ef55b59bbf510b89d3cbbda227 /lib | |
| parent | 2c795094535537a8607cc0d3b7f076a609636f40 (diff) | |
| download | pleroma-8cc8100120abdbf26cfe4cdac2c0a012d7919e05.tar.gz pleroma-8cc8100120abdbf26cfe4cdac2c0a012d7919e05.zip | |
Config: Restrict permissions of OTP config file
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/pleroma/config/release_runtime_provider.ex | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/lib/pleroma/config/release_runtime_provider.ex b/lib/pleroma/config/release_runtime_provider.ex index 91e5f1a54..9ec0f975e 100644 --- a/lib/pleroma/config/release_runtime_provider.ex +++ b/lib/pleroma/config/release_runtime_provider.ex @@ -20,6 +20,20 @@ defmodule Pleroma.Config.ReleaseRuntimeProvider do with_runtime_config = if File.exists?(config_path) do + # <https://git.pleroma.social/pleroma/pleroma/-/issues/3135> + %File.Stat{mode: mode} = File.lstat!(config_path) + + if Bitwise.band(mode, 0o007) > 0 do + raise "Configuration at #{config_path} has world-permissions, execute the following: chmod o= #{config_path}" + end + + if Bitwise.band(mode, 0o020) > 0 do + raise "Configuration at #{config_path} has group-wise write permissions, execute the following: chmod g-w #{config_path}" + end + + # Note: Elixir doesn't provides a getuid(2) + # so cannot forbid group-read only when config is owned by us + runtime_config = Config.Reader.read!(config_path) with_defaults |