[LOW] Directory and File Permissions Should Be More Restrictive #8
Description
Description
Several files and directories are created with permissions that could be more restrictive.
Locations
Directory creation with 0755
- `cmd/patchmon-agent/commands/root.go` line 90
- `internal/config/config.go` line 254
- `cmd/patchmon-agent/commands/version_update.go` lines 527, 562, 612
_ = os.MkdirAll(filepath.Dir(logFile), 0755)Crontab file with 0644
`internal/crontab/crontab.go` line 47
if err := os.WriteFile(config.CronFilePath, []byte(content), 0644); err != nil {Backup files with 0755
`cmd/patchmon-agent/commands/version_update.go` line 433
return os.WriteFile(dst, data, 0755)Note: Good Practice Found
Credentials file correctly uses 0600:
`internal/config/config.go` lines 165-167
if err := os.Chmod(m.config.CredentialsFile, 0600); err != nil {
return fmt.Errorf("error setting credentials file permissions: %w", err)
}Recommended Fix
- Use more restrictive permissions for sensitive directories:
// For /etc/patchmon/
_ = os.MkdirAll(filepath.Dir(logFile), 0750) // Group read/execute only-
For crontab, check minimum required permissions for cron daemon
-
For backup files:
return os.WriteFile(dst, data, 0700) // Owner onlySeverity
🟢 LOW - Defense in depth
Labels
security, low