heiko/cert-proxy
heiko/cert-proxy
1
0
Fork 0
Code Issues 14 Pull requests Releases 3 Activity Actions

Certificate output directories created with mode 0777 #28

New issue
Open
opened 2026-05-17 23:13:16 +02:00 by heiko · 1 comment
heiko commented 2026-05-17 23:13:16 +02:00
Owner
Copy link

Summary

internal/shared/mkdir.go:10 creates directories with mode 0777:

err := os.Mkdir(dir, 0777)

A typical umask of 022 reduces this to 0755 (world-readable and world-executable). Certificate subdirectories holding private key files should not be world-accessible.

Impact

Any local user can list the contents of the cert output directories. Combined with a permissive umask, the actual privkey.pem files inside may also be readable if their own permissions are misconfigured.

Fix

Use mode 0700 (or at minimum 0750) for directories that hold certificate material:

err := os.Mkdir(dir, 0700)
## Summary `internal/shared/mkdir.go:10` creates directories with mode `0777`: ```go err := os.Mkdir(dir, 0777) ``` A typical umask of `022` reduces this to `0755` (world-readable and world-executable). Certificate subdirectories holding private key files should not be world-accessible. ## Impact Any local user can list the contents of the cert output directories. Combined with a permissive umask, the actual `privkey.pem` files inside may also be readable if their own permissions are misconfigured. ## Fix Use mode `0700` (or at minimum `0750`) for directories that hold certificate material: ```go err := os.Mkdir(dir, 0700) ```
heiko commented 2026-05-22 11:38:23 +02:00
Author
Owner
Copy link

AI attribution comment added per repository instruction for this open issue.\n\n(co)authored by ai:gpt-5-codex

AI attribution comment added per repository instruction for this open issue.\n\n(co)authored by ai:gpt-5-codex
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
fix-35-oexcl
packaging
fix/31-reject-cn-path-separator
fix/23-atomic-symlink-replace
feature/frontmatter-svg
debian/bullseye
debian/sid
debian/buster
v1.20.0
v1.19.0
v1.18.3-0.20260429151056-d6246f587aca
v1.18.3-0.20260429150350-eeb96147f3c1
v1.18.2
1.18.1
1.18.0
1.17
debian/1.17-0
debian/1.17_RC0-1
1.17-RC0
1.16-RC1
debian/1.16-RC0-0
1.16-RC0
debian/1.15.3-2
debian/1.15.3-1
1.15.3
1.15.2
debian/1.15.1-2
debian/1.15.1-1
1.15.1
1.15
debian/1.14.1-2
debian/1.14.1-1
1.14.1
1.14
debian/1.13-1
1.13
debian/1.12-2
1.12
1.11
debian/1.10.2-2
debian/1.10.2-1
1.10.2
debian/1.10.1-1
1.10.1
1.10
debian/1.9-2
debian/1.9-1
1.9
debian/1.8-3
debian/1.8-2
debian/1.8-1
1.8
debian/1.7.1-1
1.7.1
debian/1.7-1
1.7
debian/1.6-1
1.6
debian/1.5-4
debian/1.5-3
debian/1.5-2
debian/1.5-1
1.5
1.4
1.3.1
debian/1.3-4
debian/1.3-3
debian/1.3-2
debian/1.3-1
debian/1.3-0
1.3
1.2
1.1
1.0
0.5
0.4
0.3
0.2
0.1
Labels
Clear labels   
bug
Something is not working

  
duplicate
This issue or pull request already exists

  
enhancement
New feature

  
help wanted
Need some help

  
invalid
Something is wrong

  
mod-nag
Automated dependency scan finding

  
mod-nag
Automated dependency scan finding

  
mod-nag
Automated dependency scan finding

  
mod-nag/ignore
Ignore this mod-nag finding

  
mod-nag/ignore
Ignore this mod-nag finding

  
mod-nag/ignore
Ignore this mod-nag finding

  
nagonag
Automated dependency scan finding

  
nagonag/ignore
Ignore this nagonag finding

  
question
More information is needed

  
security
Security vulnerability or hardening

  
wontfix
This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
invalid
mod-nag
mod-nag
mod-nag
mod-nag/ignore
mod-nag/ignore
mod-nag/ignore
nagonag
nagonag/ignore
question
security
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
heiko/cert-proxy#28
No description provided.