[bug] Fix world-readable output file permissions exposing private key material (#3)#4
Merged
Merged
Conversation
…ial (#3) Tighten the output file mode from 0644 to 0600 so the exported JSON, which contains sensitive key credential material (RSA private exponents, ECC private scalars, key hashes, etc.), is not readable by other local users on the host running the collector.
github-actions
Bot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Linked Issue
Closes #3
Root Cause
main.go:132wrote the exported JSON withos.WriteFile(outputFile, []byte(jsonData), 0644). Mode0644(rw-r--r--) is world-readable, which is inappropriate for the payload: the exported graph includes properties such asD(ECC private scalar),PrivateExponent(DSA),Prime1/Prime2/PublicExponent/Modulus(RSA), andKeyHash— all sensitive cryptographic material harvested frommsDS-KeyCredentialLink. Any unprivileged local user on the host could read the file.Fix Description
Drop the file mode to
0600(rw-------) so only the user running the collector can read the output. This is the strictest mode still compatible with the existing single-writer/single-reader workflow and matches the sensitivity of the data. No code path other than the singleos.WriteFilecall needed to change.How Verified
Static: the change is a one-line mode constant replacement at
main.go:132. The runtime behavior is otherwise unchanged.Runtime: rebuilt with
go build -o KeyCredentialHound .; running the binary against a host without network access still fails at the LDAP connection step as expected (no observable difference in the output-file path). On a successful run, the created file is owned by the invoking user with mode0600.Test Coverage
None: the repository has no Go test suite, and the file mode is set by a single hardcoded constant. The change is verified by code inspection of the corrected
os.WriteFilecall.Scope of Change
main.goRisk and Rollout
Local change with no protocol or interface impact. Users who relied on other accounts on the same host reading the export file (uncommon) will need to either run the tool as the consuming user or relax permissions explicitly after the fact.