limepotato/akkoma
1
0
Fork 0
Code Pull requests Activity

Config: Restrict permissions of OTP config file

Browse source 
Original: 8cc8100120
This commit is contained in:
Haelwenn (lanodan) Monnier 2023-06-22 00:46:52 +02:00 committed by Norm
parent 0b2ec0ccee
commit ae03513934
No known key found for this signature in database
GPG key ID: 7123E30E441E80DE
1 changed files with 14 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
lib/pleroma/config/release_runtime_provider.ex
View file

@ -22,6 +22,20 @@ defmodule Pleroma.Config.ReleaseRuntimeProvider do
with_runtime_config = with_runtime_config =
if File.exists?(config_path) do if File.exists?(config_path) do
# <https://git.pleroma.social/pleroma/pleroma/-/issues/3135>
%File.Stat{mode: mode} = File.lstat!(config_path)
if Bitwise.band(mode, 0o007) > 0 do
raise "Configuration at #{config_path} has world-permissions, execute the following: chmod o= #{config_path}"
end
if Bitwise.band(mode, 0o020) > 0 do
raise "Configuration at #{config_path} has group-wise write permissions, execute the following: chmod g-w #{config_path}"
end
# Note: Elixir doesn't provides a getuid(2)
# so cannot forbid group-read only when config is owned by us
runtime_config = Config.Reader.read!(config_path) runtime_config = Config.Reader.read!(config_path)
with_defaults with_defaults