Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect default permissions for /etc/GeoIP.conf (world-readable) #328

Open
robert-scheck opened this issue Jul 11, 2024 · 1 comment
Open

Incorrect default permissions for /etc/GeoIP.conf (world-readable) #328

robert-scheck opened this issue Jul 11, 2024 · 1 comment

Comments

@robert-scheck
Copy link

Since MaxMind does not offer any GeoIP/GeoLite data services anymore when not being registered with MaxMind, the current permissions of /etc/GeoIP.conf are incorrect from my point of view, because world-readable is too relaxed and causes by default the leak of the credentials to other local (unprivileged) Linux system users (who could copy them to third-party systems or whatever):

Name        : geoipupdate
Epoch       : 0
Version     : 7.0.1
Release     : 1
Architecture: x86_64
Install Date: (not installed)
Group       : 
Size        : 5642415
License     : Apache 2.0 or MIT
Signature   : (none)
Source RPM  : geoipupdate-7.0.1-1.src.rpm
Build Date  : Mo 08 Apr 2024 23:30:08 CEST
Build Host  : work
Packager    : MaxMind, Inc. <[email protected]>
Vendor      : MaxMind, Inc.
URL         : https://www.maxmind.com/
Summary     : Program to perform automatic updates of GeoIP2 and GeoLite2 binary databases.
Description :
Program to perform automatic updates of GeoIP2 and GeoLite2 binary databases.
-rw-r--r--    1 root     root                     1913 Apr  8 23:30 /etc/GeoIP.conf
-rwxr-xr-x    1 root     root                  5595288 Apr  8 23:30 /usr/bin/geoipupdate
drwxr-xr-x    2 root     root                        0 Apr  8 23:30 /usr/share/GeoIP
-rw-r--r--    1 root     root                    13221 Apr  8 23:29 /usr/share/doc/geoipupdate/CHANGELOG.md
-rw-r--r--    1 root     root                     1913 Apr  8 23:30 /usr/share/doc/geoipupdate/GeoIP.conf
-rw-r--r--    1 root     root                     3545 Apr  8 23:30 /usr/share/doc/geoipupdate/GeoIP.conf.md
-rw-r--r--    1 root     root                    11360 Apr  1 21:31 /usr/share/doc/geoipupdate/LICENSE-APACHE
-rw-r--r--    1 root     root                     1023 Jul 31  2020 /usr/share/doc/geoipupdate/LICENSE-MIT
-rw-r--r--    1 root     root                     4379 Apr  8 23:20 /usr/share/doc/geoipupdate/README.md
-rw-r--r--    1 root     root                     2509 Apr  8 23:30 /usr/share/doc/geoipupdate/geoipupdate.md
-rw-r--r--    1 root     root                     3083 Apr  8 23:30 /usr/share/man/man1/geoipupdate.1
-rw-r--r--    1 root     root                     4181 Apr  8 23:30 /usr/share/man/man5/GeoIP.conf.5

From my point of view, the permissions should be 0640 instead of 0644 aka world-readable. System administrators that want to relax the permissions for specific purposes should explicitly do so themself.
@oschwald
Copy link
Member

I agree that it would be better if this file was not world-readable. This would likely be a breaking change for some users. We will likely hold off changing this until we release a new major version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oschwald @robert-scheck