[Feature Request] Proper permission setting for /etc/v2ray/config.json #2287
Replies: 2 comments 1 reply
-
|
We can also use Credentials with DynamicUser: [Service]
DynamicUser=true
LoadCredential=config.json:/etc/v2ray/config.json
ExecStart=/usr/bin/v2ray -config ${CREDENTIALS_DIRECTORY}/config.json |
Beta Was this translation helpful? Give feedback.
-
|
IMO you should try avoid running untrustworthy programs on devices with sensitive data. And if you have to, run them in isolated environments like sandboxes or containers, and setup MAC like SeLinux or AppArmor. Merely changing file permissions won't protect you against such programs, the adversaries could deduce that you are using V2Ray and potentially your server configuration from command hash table, shell history, system caches and browser data. |
Beta Was this translation helpful? Give feedback.
-
|
I do use sandbox, but it is still necessary to set proper permissions I think. |
Beta Was this translation helpful? Give feedback.
-
The config file contains all the info (and secrets) of the tunnels, however it is not properly protected. By default, the permission setting of the dir
/etcdoesn't forbiden read access to the files in it. It can be dangerous as all the applications (including those produced insomewhere, e.g. linuxqq) can read users' v2ray config.My proposal is to add a new user (i.e.
v2ray) to run the program. The permission setting forconfig.jsonshould be like:and
v2ray.service:relate to #428
Beta Was this translation helpful? Give feedback.
All reactions