Security: Database file created with world-writable permissions (0o666/0o777) #123

Closed
opened 2026-05-17 21:27:12 -05:00 by null · 0 comments
Owner

Problem

server/index.js creates the database directory with chmodSync(dbDir, 0o777) (world-writable) and the database file with chmodSync(dbPath, 0o666) (world-writable). This means any process on the host or in the container can read, modify, or delete the database.

While Docker runs as a non-root user (UID 1001), the 0o777/0o666 permissions undermine that security boundary — any other container or process that can access the Docker volume could tamper with the database.

Additionally, server/db.js has the same pattern (though it is dead code — see #120).

Fix

Remove the chmodSync calls entirely. Let the database inherit the default permissions from the Docker volume mount. The non-root user (UID 1001) will still be able to read/write the file.

If permissions issues arise, use the Docker volume driver or a chown in the entrypoint script instead.

Files

  • server/index.js — lines with chmodSync
  • server/db.js — lines with chmodSync (dead code, but should also be fixed or deleted per #120)

Severity

Medium — in a Docker environment with no other containers sharing the volume, risk is limited. But it is a bad practice and violates least-privilege principles.

## Problem server/index.js creates the database directory with `chmodSync(dbDir, 0o777)` (world-writable) and the database file with `chmodSync(dbPath, 0o666)` (world-writable). This means any process on the host or in the container can read, modify, or delete the database. While Docker runs as a non-root user (UID 1001), the 0o777/0o666 permissions undermine that security boundary — any other container or process that can access the Docker volume could tamper with the database. Additionally, server/db.js has the same pattern (though it is dead code — see #120). ## Fix Remove the chmodSync calls entirely. Let the database inherit the default permissions from the Docker volume mount. The non-root user (UID 1001) will still be able to read/write the file. If permissions issues arise, use the Docker volume driver or a chown in the entrypoint script instead. ## Files - server/index.js — lines with chmodSync - server/db.js — lines with chmodSync (dead code, but should also be fixed or deleted per #120) ## Severity Medium — in a Docker environment with no other containers sharing the volume, risk is limited. But it is a bad practice and violates least-privilege principles.
null closed this issue 2026-05-17 21:35:15 -05:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: null/Queue-North-Website#123
No description provided.