Skip to content

Instantly share code, notes, and snippets.

@SkypLabs
Last active December 12, 2023 11:54
Show Gist options
  • Save SkypLabs/72ee00ecfa7d1a3494e2d69a24279c1d to your computer and use it in GitHub Desktop.
Save SkypLabs/72ee00ecfa7d1a3494e2d69a24279c1d to your computer and use it in GitHub Desktop.
AppWrite CLI - Too permissive access on preferences file

Appwrite CLI - Too permissive access on preferences file

Description

When using the login command, the Appwrite CLI tool stores the credentials of the Appwrite user in the ~/.appwrite/prefs.json file with 0644 as UNIX permissions. This is a security issue as it would allow any user of the local system to access those credentials.

Steps to reproduce

  1. Install the latest version of the Appwrite CLI (2.0.2 to this day).
  2. Log into an Appwrite instance using the appwrite login command.
  3. Check the permissions of the preferences file.

In practice:

❯ appwrite -v
2.0.2

❯ appwrite login
? Enter your email admin@redacted.com
? Enter your password ****************
? Enter the endpoint of your Appwrite server https://appwrite.redacted.com/v1

✓ Success 

❯ ll ~/.appwrite/prefs.json 
-rw-r--r-- 1 user user 613 Apr 21 18:28 /home/user/.appwrite/prefs.json

Remediation

The file permissions should be set to 0600 (read-write access to the owner of the file only) upon creation, and checked each time the file is read to display a error message in case of too permissive permissions just like what the OpenSSH client does for SSH private keys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment