Zope 2

Set permissions of Data.fs to sane value

Bug #143747 reported by Berthold Stöger
2
Affects Status Importance Assigned to Milestone
ZODB
Invalid
Medium
Unassigned
Zope 2
Invalid
Undecided
Unassigned

Bug Description

When installing a Zope instance, Data.fs by default ends up with permissions 0644. Permissions should instead probably be set to 0600 independently of umask, since there seems to be no reason that anyone but the application server (and maybe backup programs) should be able to read the file. On the other hand a world readable Data.fs poses a security risk on multi-user systems (think for example stored DB-Passwords).

Tags: bug zope
Revision history for this message
Andreas Jung (ajung) wrote :

The right place is possible in FileStorage.py:

        if self._file is None and create:
            if os.path.exists(file_name):
                os.remove(file_name)

            self._file = open(file_name, 'w+b')
>> os.chmod(....)
             self._file.write(packed_version)

Revision history for this message
Jens Vagelpohl (dataflake-deactivatedaccount-deactivatedaccount) wrote :

Moving to the ZODB project

affects: zope2 → zodb
Revision history for this message
Tres Seaver (tseaver) wrote :

Controlling this setting is *policy*, and belongs in the config file: not surprisingly, the 'umask' value in the ZConfig schemas for both Zope2 and zdaemon allow this value to be tweaked.

Changed in zope2:
status: New → Invalid
Changed in zodb:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.