Unsecure advise from sanity_check.php

teapot · 2020-09-27T13:35:10.368Z

Hi,

I am new to tiny tiny rss and as far as I could test it, I love it ! About some context, I installed tt-rss from the git, following the official wiki InstallationNotesHost.

As I am a bit concern about my server security, I tried to find the best read/write setup. When I was testing, I came across alerts from include/sanity_check.php asking me to run some chmod -R 777, which is not really secure.

In case you want to update the documentation, here what I used. I test every action I could thought about except the update process.

# Assuming that you are in tt-rss git and that your web user is www-data.

# By default, the user can do everything and the group can only read or go through directories.
find . -type f -exec chmod 640 {} \;
find . -type d -exec chmod 750 {} \;
# By default, root is the file owner, so only him can apply changes. The web server is granted a group access, so read only.
chown -R root:www-data .
# Grant full access to CACHE_DIR, ICONS_DIR and LOCK_DIRECTORY.
chown -R www-data: ./cache ./feed-icons ./lock
# Disallow some dangerous or unnecessary folders/files. ".[^.]*" will match all hidden files/directories but not the current folder "." or the parent folder "..".
chown -R root: .[^.]* *.md install *.json

Following the documentation, the update process should not be impacted, but it will be necessary to run the script again afterwards.

In case, you find interesting to add this kind of subjects to the documentation, I will work on my selinux configuration and I can post it too when I will be done testing it.

I don’t often write in English, don’t hesitate to give me feedback if I’m not clear in what I say! Also open to over security advises!

fox · 2020-09-27T13:53:11.381Z

teapot:

I came across alerts from include/sanity_check.php asking me to run some chmod -R 777, which is not really secure.

i think you forgot to tell us why.

please don’t forget to take into account that 1) sanity check fails on this usually when you first start tt-rss so cache/lock directories are empty and 2) containers.

teapot:

find . -type f -exec chmod 640 {} \;

you’re going to stop doing that first time you manage to run this in a wrong directory.

teapot:

# Disallow some dangerous or unnecessary folders/files. ".[^.]*" will match all hidden files/directories but not the current folder "." or the parent folder "..".
chown -R root: .[^.]* *.md install *.json

ah yes the inherent unimaginable dangers of README.md.

well, at least you managed not to include chown -R someone .* which is another thing a linux user usually does, once.

teapot:

you find interesting to add this kind of subjects to the documentation

not really, no.

e: i guess the ironic part of this armchair security analysis is that you’re seemingly running tt-rss on the host directly.

teapot · 2020-09-27T14:03:12.254Z

Well I wasn’t being aggressive, or at least I hope so! Or also wasn’t really questioning over people skills… But well noted I will not share security advise here anymore.

About the why, probably because I was testing read/write setup… I am not questioning the fact that the message appear (which is great) but the content of the message which is a common but insecure habit.

fox:

e: i guess the ironic part of this armchair security analysis is that you’re seemingly running tt-rss on the host directly.

Not really, I am using vm, but the why that instead of docker is a completely different topic.

fox · 2020-09-27T14:09:46.100Z

teapot:

I am not questioning the fact that the message appear (which is great) but the content of the message which is a common but insecure habit

fox:

i think you forgot to tell us why.

i guess the arguments about inherent dangers of world-writable lockfile directories are not forthcoming.