File permissions for validator client API keys are insecure #2437
Labels
low-hanging-fruit
Easy to resolve, get it before someone else does!
security
v2.0.0
Altair on mainnet release (v2.0.0)
Description
A validator client uses two API keys: ".secp-sk" (secret key) and "api-token.txt" (the corresponding public key).
Both files are stored in a user directory with 644 permission bits.
So any user on the host can read them.
To reproduce the issue just run:
Version
Lighthouse/v1.4.0-3b600ac
Expected Behaviour
Permission bits must be 600.
The text was updated successfully, but these errors were encountered: