When using the login
command, the Appwrite CLI tool stores the credentials of the Appwrite user in the ~/.appwrite/prefs.json
file with 0644 as UNIX permissions. This is a security issue as it would allow any user of the local system to access those credentials.
- Install the latest version of the Appwrite CLI (2.0.2 to this day).
- Log into an Appwrite instance using the
appwrite login
command. - Check the permissions of the preferences file.
In practice:
❯ appwrite -v
2.0.2
❯ appwrite login
? Enter your email admin@redacted.com
? Enter your password ****************
? Enter the endpoint of your Appwrite server https://appwrite.redacted.com/v1
✓ Success
❯ ll ~/.appwrite/prefs.json
-rw-r--r-- 1 user user 613 Apr 21 18:28 /home/user/.appwrite/prefs.json
The file permissions should be set to 0600 (read-write access to the owner of the file only) upon creation, and checked each time the file is read to display a error message in case of too permissive permissions just like what the OpenSSH client does for SSH private keys.