Security problem with .env

jim.hyslop · July 2, 2021, 9:35pm

When you run php bakery bake and it creates the app/.env file, it creates it with world-read rights (644, or rw-r–r--). That means anyone with access to the server can read the contents and get your database and email passwords. The permissions should be 600, or rw------- (possibly rw-r----- if the group is locked down to the minimum, system level processes that are in that group).

This isn’t an obscure bit of knowledge. It’s basic security - use the strictest possible permissions, and never EVER grant world-read rights to sensitive information. When you screw up something that basic, I really wonder what other hidden vulnerabilities there may be in the code. Has the system ever undergone a security review?

Malou · July 8, 2021, 11:27pm

What kind of fix would you propose for the code base?

I’m not a security expert, but my understanding is this is more of a server config issue than code issue. Any file written by PHP will inherit the server filesystem settings (aka umask for Unix).

This would eventually be an issue with doc, or DotenvEditor itself :

github.com

userfrosting/UserFrosting/blob/c92bf0b14f43cd53771d782f03c7b61c996ce814/app/sprinkles/core/src/Bakery/SetupEnvCommand.php#L59


 * {@inheritdoc}
 */
protected function execute(InputInterface $input, OutputInterface $output)
{
    // Display header,
    $this->io->title("UserFrosting's Environment Setup Wizard");
    $this->io->note("Environment mode will be saved in `{$this->envPath}`");
    $this->io->write('Select desired environment mode. Production should only be used when deploying a live app.');


    // Get an instance of the DotenvEditor
    $dotenvEditor = new DotenvEditor(\UserFrosting\APP_DIR, false);
    $dotenvEditor->load($this->envPath);


    // Ask for mode
    $newEnvMode = $this->askForEnv($input);


    // Save new value
    $dotenvEditor->setKey($this->modeKey, $newEnvMode);
    $dotenvEditor->save();


    // Success

Malou · July 9, 2021, 12:06am

Also, I didn’t checked if it’s stated in the doc, but the proper “secure” way to do thing would be to use the server env over the .env file. Server env vars should be prioritized over the .env file, even if someone was to “write” it over using bake or any other bakery command.