security: create store entries with private permissions (ai:gpt-5) #53

New issue

Closed

opened 2026-05-23 22:20:39 +02:00 by heiko · 0 comments

heiko commented 2026-05-23 22:20:39 +02:00

Owner

Copy link

Finding from a whole-codebase security review.

Affected code:

• cmd/once-server/store/store.go:153-171 creates UUID directories with os.MkdirAll(f.path, 0777) and creates meta.json/content with os.Create.
• cmd/once-server/examples/once.service:12 mitigates this only for the packaged systemd path via UMask=0077.

Impact:
The store contains uploaded secrets. Outside the systemd example, permissions depend on the process umask. With a common umask like 0022, directories may become 0755 and files 0644, exposing uploaded content and metadata to other local users on the host. Security should not depend on deployment-specific umask hygiene.

Suggested fix:

• Create store directories with mode 0700.
• Create meta.json, temp metadata files, and content with mode 0600 via os.OpenFile.
• Consider chmod/migration for existing store entries whose permissions are too broad.
• Add tests that set a permissive umask temporarily and assert private store permissions.

Finding from a whole-codebase security review. Affected code: - cmd/once-server/store/store.go:153-171 creates UUID directories with `os.MkdirAll(f.path, 0777)` and creates `meta.json`/`content` with `os.Create`. - cmd/once-server/examples/once.service:12 mitigates this only for the packaged systemd path via `UMask=0077`. Impact: The store contains uploaded secrets. Outside the systemd example, permissions depend on the process umask. With a common umask like 0022, directories may become 0755 and files 0644, exposing uploaded content and metadata to other local users on the host. Security should not depend on deployment-specific umask hygiene. Suggested fix: - Create store directories with mode 0700. - Create `meta.json`, temp metadata files, and `content` with mode 0600 via `os.OpenFile`. - Consider `chmod`/migration for existing store entries whose permissions are too broad. - Add tests that set a permissive umask temporarily and assert private store permissions.

heiko added the

security

label 2026-05-24 18:44:09 +02:00

heiko referenced this issue from a commit 2026-05-24 20:43:23 +02:00

Merge branch 'fix/53-private-permissions' into security/all-fixes

heiko referenced this issue 2026-05-24 20:44:00 +02:00

security: comprehensive fixes for issues #48, #50, #51, #52, #53 ai:claude-sonnet-4-5 #61

heiko referenced this issue 2026-05-24 20:44:20 +02:00

security: comprehensive fixes for issues #48, #50, #51, #52, #53 ai:claude-sonnet-4-5 #61

heiko referenced this issue 2026-05-24 20:46:14 +02:00

security: comprehensive fixes for issues #48, #50, #51, #52, #53 ai:claude-sonnet-4-5 #61

heiko referenced this issue 2026-05-24 20:50:14 +02:00

security: comprehensive fixes for issues #48, #50, #51, #52, #53 ai:claude-sonnet-4-5 #61

heiko referenced this issue from a commit 2026-05-24 20:56:24 +02:00

security: enforce private permissions on store entries (fixes #53) ai:claude-sonnet-4-5

heiko closed this issue 2026-05-24 20:56:24 +02:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

nagonag/update-master

fix/44-log-removal-details

debian

once.css

dev

v2.5.13-0.20260527114056-db01c609fc25

deb/v2.5.12-1

v2.5.12

deb/v2.5.11-1

v2.5.11

deb/v2.5.10-0.20260524190140-f81a5573a1da-2

deb/v2.5.10-0.20260524190140-f81a5573a1da-1

v2.5.10-0.20260524190140-f81a5573a1da

v2.5.10-0.20260524132651-90531c0633c8

v2.5.9

v2.5.9-0.20260524121920-a8bd0d1e45a4

v2.5.9-0.20260524115638-1a8fe03c73c5

deb/v2.5.8-1

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.4-0.20250910115912-7b669c0bd9aa

v0.0.0-20250910115912-7b669c0bd9aa

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v0.0.0-20250519211121-6ae54abed7ef

v2.4.4

v2.4.3

debian/2.4.2-1

v2.4.2

debian/2.4.1-1

v2.4.1

debian/2.4-1

v2.4

v2.3

debian/2.2-1-g04382ef-1

v2.2-1-g04382ef

debian/2.2-1

v2.2

debian/2.1-1

v2.1

debian/2.0-1

v2.0

debian/1.3-1-gbfa9b7c-1

v1.3-1-gbfa9b7c

debian/1.3-1

v1.3

debian/1.2-11-g73e5390-1

1.2-11-g73e5390

debian/1.2-1

1.2

debian/1.1-1

1.1

debian/1.0-1

1.0

debian/0.3-4-gf628485-1

0.3-4-gf628485

debian/0.3-3-g94ce876-1

0.3-3-g94ce876

debian/0.3-2

0.3

debian/0.2.5-7

debian/0.2.5-6

debian/0.2.5-5

debian/0.2.5-4

debian/0.2.5-3

debian/0.2.5-2

debian/0.2.5-1

0.2.5

debian/0.2.4-1

0.2.4

debian/0.2.3-1

0.2.3

debian/0.2.2-0

0.2.2

0.2.1

0.2

0.1

Labels

Clear labels   

nagonag

Automated dependency scan finding

  

nagonag/ignore

Ignore this nagonag finding

  

bug

Something is not working

  

doc

Missing or wrong documentation

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

question

More information is needed

  

security

This is security relevant

  

wontfix

This won't be fixed

No labels

nagonag

nagonag/ignore

bug

doc

duplicate

enhancement

help wanted

invalid

question

security

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

IUS/once#53

No description provided.