[Pkg-graphite-maint] Bug#882691: graphite-web: local_settings.py is world-readable, expose password to local users

Guillaume guillaume at atto.be
Sat Nov 25 18:41:30 UTC 2017


Package: graphite-web
Version: 1.0.2+debian-2

Configuration file /etc/graphite/local_settings.py is world-readable by
default (644), which is bad because this file is meant to contain a
secret password.

If the administrator is not extra-carefull, he will defines a secret
password but won't notice the file is world-redable by default.

Best security practices include the principle of least priviledge, thus
this file should be chmod 600 or chmod 640.

$ ls -lah /etc/graphite/local_settings.py
-rw-r--r-- 1 root root 8.8K Sep 20  2015 /etc/graphite/local_settings.py

I verified the package files is indeed world-readable (644):

$ tar tJvf data.tar.xz | grep local_settings.py
-rw-r--r-- root/root     15537 2017-09-23 13:56
./etc/graphite/local_settings.py

Extract of the file's content upon install:

#####################################
# General Configuration #
#####################################
# Set this to a long, random unique string to use as a secret key for this
# install. This key is used for salting of hashes used in auth tokens,
# CRSF middleware, cookie storage, etc. This should be set identically among
# instances if used behind a load balancer.
#SECRET_KEY = 'UNSAFE_DEFAULT'



Regards,

Guillaume



More information about the Pkg-graphite-maint mailing list