Mongodb credentials saved in pritunl.conf readable to all users with shell access

avid-fan · March 18, 2023, 12:00pm

Hi,

Just noticed that /etc/pritunl.conf installs with 0644 permissions and since mongodb_uri is stored there in plain text… that allows any user with shell access take a peek at pritunl’s mongodb credentials. Concerning!..

(the good news is that pritunl didn’t mind me setting permissions to 0600)

zach · March 18, 2023, 11:54pm

The next release will update the permissions to 600 when loading and saving the configuration.

avid-fan · March 20, 2023, 1:12pm

That’s brilliant, thank you!..