Config: Restrict permissions of OTP config file

Original: 8cc8100120
This commit is contained in:
Haelwenn (lanodan) Monnier 2023-06-22 00:46:52 +02:00 committed by Norm
parent 0b2ec0ccee
commit ae03513934
Signed by untrusted user: norm
GPG key ID: 7123E30E441E80DE

View file

@ -22,6 +22,20 @@ def load(config, opts) do
with_runtime_config = with_runtime_config =
if File.exists?(config_path) do if File.exists?(config_path) do
# <https://git.pleroma.social/pleroma/pleroma/-/issues/3135>
%File.Stat{mode: mode} = File.lstat!(config_path)
if Bitwise.band(mode, 0o007) > 0 do
raise "Configuration at #{config_path} has world-permissions, execute the following: chmod o= #{config_path}"
end
if Bitwise.band(mode, 0o020) > 0 do
raise "Configuration at #{config_path} has group-wise write permissions, execute the following: chmod g-w #{config_path}"
end
# Note: Elixir doesn't provides a getuid(2)
# so cannot forbid group-read only when config is owned by us
runtime_config = Config.Reader.read!(config_path) runtime_config = Config.Reader.read!(config_path)
with_defaults with_defaults