Collabora App: Clear-text password in world-readable file

jaywalker · January 21, 2025, 10:30am

Hi all,

I am testing collabora office within NS8 nextcloud from @stephdl . I found this:

collabora1@ns8test:~/.config/state$ ls -l password.env
-rw-r–r-- 1 collabora1 collabora1 18 Jan 21 10:54 password.env

This file contains the password for collabora server in clear text, and is world-readable. I think this is a security no-go and probably a bug.

stephdl · January 21, 2025, 10:33am

what is the distro you use, debian, rocky ?

normally the password is not readable from another user

~~show the permission of the file~~
try to access from another user (module user for example)

this password is needed by collabora from an environment file IIRC

stephdl · January 21, 2025, 10:35am

on rocky I have


[root@r3-pve ~]# ll /home/
total 0
drwx------. 4 grafana1       grafana1       35 Jan 14 17:36 grafana1
drwx------. 4 lamp2          lamp2          72 Jan 15 18:30 lamp2
drwx------. 4 ldapproxy1     ldapproxy1     35 Jan 14 17:09 ldapproxy1
drwx------. 4 loki1          loki1          35 Jan 14 17:09 loki1
drwx------. 4 mail2          mail2          35 Jan 20 10:32 mail2
drwx------. 4 mariadb1       mariadb1       35 Jan 15 22:09 mariadb1
drwx------. 4 openldap1      openldap1      35 Jan 17 14:59 openldap1
drwx------. 4 prometheus1    prometheus1    35 Jan 14 17:34 prometheus1
drwx------. 4 roundcubemail1 roundcubemail1 35 Jan 20 10:33 roundcubemail1
drwx------. 4 sogo1          sogo1          35 Jan 20 10:41 sogo1
drwx------. 4 traefik1       traefik1       35 Jan 14 17:09 traefik1
drwx------. 4 webserver2     webserver2     56 Jan 17 17:33 webserver2
drwx------. 4 webserver3     webserver3     72 Jan 18 08:21 webserver3
drwx------. 4 webtop1        webtop1        35 Jan 20 10:40 webtop1
[root@r3-pve ~]# runagent -m mariadb1
runagent: [INFO] starting bash -l
runagent: [INFO] working directory: /home/mariadb1/.config/state
[mariadb1@r3-pve state]$ cd /home/mail2/
bash: cd: /home/mail2/: Permission denied
[mariadb1@r3-pve state]$ ls -la   /home/mail2/*
ls: cannot access '/home/mail2/*': Permission denied
[mariadb1@r3-pve state]$ ls -la   /home/mail2/.config/state/environnement 
ls: cannot access '/home/mail2/.config/state/environnement': Permission denied

jaywalker · January 21, 2025, 11:13am

My machine is using Debian. You are right: the directories in /home have proper permissions, so subfolders should not be accessible by other users. Thank you for the hint.

root@ns8test:~# ls -l /home
insgesamt 28
drwx------ 4 collabora1 collabora1 4096 21. Jan 12:09 collabora1
drwx------ 4 ldapproxy1 ldapproxy1 4096 21. Jan 10:31 ldapproxy1
drwx------ 4 loki1 loki1 4096 21. Jan 10:31 loki1
drwx------ 4 nextcloud1 nextcloud1 4096 21. Jan 10:38 nextcloud1
drwx------ 4 openldap1 openldap1 4096 21. Jan 10:33 openldap1
drwx------ 4 traefik1 traefik1 4096 21. Jan 10:25 traefik1

stephdl · January 21, 2025, 11:14am

no problem, this was a good question, I recall something with first nethserver 8 installation and debian where the /home was world readable, we have fixed the issue but only for newer installations, former installations should fix by themselves the permission IIRC